UBC Theses and Dissertations

UBC Theses Logo

UBC Theses and Dissertations

A simple proof checker for real-time systems Leung, Catherine 1995

Your browser doesn't seem to have a PDF viewer, please download the PDF to view this item.

Item Metadata

Download

Media
831-ubc_1995-0376.pdf [ 8.71MB ]
Metadata
JSON: 831-1.0051212.json
JSON-LD: 831-1.0051212-ld.json
RDF/XML (Pretty): 831-1.0051212-rdf.xml
RDF/JSON: 831-1.0051212-rdf.json
Turtle: 831-1.0051212-turtle.txt
N-Triples: 831-1.0051212-rdf-ntriples.txt
Original Record: 831-1.0051212-source.json
Full Text
831-1.0051212-fulltext.txt
Citation
831-1.0051212.ris

Full Text

A S I M P L E P R O O F C H E C K E R F O R R E A L - T I M E S Y S T E M S B y Catherine Leung B . Sc. (Computer Science) University of Br i t i sh Columbia A THESIS SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER OF SCIENCE in THE FACULTY OF GRADUATE STUDIES COMPUTER SCIENCE We accept this thesis as conforming to the required standard THE UNIVERSITY OF BRITISH COLUMBIA June 1995 © Catherine Leung, 1995 In presenting this thesis in partial fulfilment of the requirements for an advanced degree at the University of British Columbia, I agree that the Library shall make it freely available for reference and study. I further agree that permission for extensive copying of this thesis for scholarly purposes may be granted by the head of my department or by his or her representatives. It is understood that copying or publication of this thesis for financial gain shall not be allowed without my written permission. Department of C& >*ip otter- %c feytcgu The University of British Columbia Vancouver, Canada Date 3unr*_ % > l9?S DE-6 (2/88) Abstract This thesis presents a practical approach to verifying real-time properties of V L S I designs. A simple proof checker with buil t- in decision procedures for linear programming and predicate calculus offers a pragmatic approach to verifying real-time systems in return for a slight loss of formal rigor when compared with tradit ional theorem provers. In this approach, an abstract data type represents the hypotheses, claim, and pending proof obligations at each step. A complete proof is a program that generates a proof state with the derived claim and no pending obligations. The user provides replacements for obligations and relies on the proof checker to validate the soundness of each operation. This design decision distinguishes the proof checker from tradit ional theorem provers, and enhances the view of "proofs as programs". This approach makes proofs robust to incremental changes, and there are few "surprises" when applying rewrite rules or decision procedures to proof obligations. A hand-written proof constructed to verify the t iming correctness of a high bandwidth communication protocol was verified using this checker. i i Table of Contents Abstract ii List of Tables viii List of Figures ix Acknowledgement x 1 Introduction 1 1.1 Verifying T iming Properties wi th the Proof Checker 2 1.2 Theorem Provers 4 1.3 Verification Tools and Real-time Properties 6 1.4 Thesis Overview 7 2 Proof Checker Specification 8 2.1 Structure of the Proof Checker 8 2.1.1 Proof State 9 2.1.2 Proof Rules 11 2.2 The Proof Rules and their Soundness 12 2.2.1 Linear Programming Rule 13 2.2.2 Predicate Calculus Rule . . 14 2.2.3 Instantiation Rule 15 2.2.4 Skolemization Rule 15 2.2.5 Induction Rule 18 i i i 2.2.6 Definition Rule 19 2.2.7 Postponement Rules 20 2.2.8 Equal i ty Rule 23 2.2.9 If Rule 23 2.2.10 Discrete Rule 24 2.3 Conclusion 24 3 Implementation of the Proof Checker 25 3.1 Abstract Da ta Type for Proof State : 25 3.2 The Proof Rules and some Implementation Techniques 26 3.2.1 Defining the Concrete Types 27 3.2.2 Pattern Matching 28 3.2.3 Failures 29 3.3 Linear Programming 29 3.3.1 Simplex Method 30 3.3.2 Strict Inequalities (> and <) 35 3.3.3 Not-equal-to Relations (#) 36 3.3.4 Special Cases 37 3.4 Implementation of Proof Rules 39 3.4.1 Linear Programming Rule 40 3.4.2 Predicate Calculus Rule 41 3.4.3 Skolemization Rule 42 3.4.4 Instantiation Rule 43 3.4.5 Induction Rule 44 3.4.6 Definition Rule 45 3.4.7 Postponement Rules 45 iv 3.4.8 Equali ty Rule 47 3.4.9 If Rule 48 3.4.10 Discrete Rule 48 3.5 User Interface 49 3.5.1 Case Analysis over booleans 49 3.5.2 Case Analysis over integers 50 3.5.3 Discharged by Unchanged ; 50 3.5.4 Pr in t ing a State 52 3.5.5 Pr int Abbreviat ion 52 3.6 Conclusion 53 4 Verification of Real-time Properties 54 4.1 Synchronized Transitions: a hardware description language 55 4.2 Safety Properties and Invariants 56 4.3 Expressing Real-time Properties 59 4.4 Summary 63 5 Verifying STARI 64 5.1 S T A R I Interfaces 64 5.1.1 Self-timed F I F O s for S T A R I 66 5.1.2 A schedule for S T A R I 68 5.2 A n ST Program for S T A R I 72 5.2.1 The invariant 74 5.3 The S T A R I Proof 77 5.3.1 A snapshot from the proof 78 5.3.2 Some Proof Techniques 82 5.3.3 Flaws from Manual Proof 84 v 5.4 Observations and Experiences . . . . : 84 5.4.1 Verified Proof versus Manual Proof 84 5.4.2 F L as a meta-language 85 5.5 Evaluat ing the Proof and the Proof Checker 86 6 Conclusion 88 6.1 The Simple Approach to Proof Checking 88 6.2 Proofs as Programs . 90 6.3 The Postponement Rules 91 6.4 Variable skew version of S T A R I proof 92 6.5 Summary 92 Bibliography 94 Appendices 96 A User Manual 97 A.1 Structure of Proof Checker 97 A . 2 How to S t a r t / E x i t the System 98 A . 3 Syntax Used in the Checker 99 A . 4 Proof Rules 102 A.4.1 To S t a r t / E n d a proof: (S ta r t . p roof /Done) 102 A.4.2 The Ten Proof Rules 104 A.4.3 Proof Debugging: debug mode 114 A . 5 User Interface 115 A.5.1 Interface Functions 115 A.5.2 Aux i l i a ry Functions 120 A . 6 Example 122 v i B Proof Script for S T A R I 126 B . l Proof Script for the Transmitter Transition 126 B.2 Proof Script for the F I F O Transition 143 B.3 Proof Script for the Receiver Transition 159 B.4 Proof Script for the Protocol 176 v i i List of Tables 3.1 Linear Programming Rule 40 .3.2 Predicate Calculus Rule 41 3.3 Skolemization Rule 42 3.4 Instantiation Rule 43 3.5 Induction Rule 44 3.6 Definition Rule 45 3.7 Postponement Rules 46 3.8 Equal i ty Rule . . . 47 3.9 If Rule 48 3.10 Discrete Rule '. 49 3.11 Case Analysis over Booleans 50 3.12 Case Analysis over Integers 51 3.13 Discharged by Unchanged 52 v i i i List of Figures 2.1 A n example of a proof tree 9 3.2 A system of linear relations 30 3.3 Pseudocode for Linear Programming. 38 4.4 A synchronous communication circuit. 55 5.5 S T A R I communication 65 5.6 A self-timed F I F O . . 67 5.7 Stage-to-stage transfer times 71 5.8 A Synchronized Transitions program for S T A R I 75 5.9 The invariant for S T A R I 76 5.10 A branch from the S T A R I proof tree 79 6.11 Identity Properties and Cancellation Law of reals 89 A . 12 Definition of Boolean type, In t ege r type, and R e a l type 101 ix Acknowledgement I would like to thank my supervisor, Mark Greenstreet, for his time and patience, and his support. W h a t he has taught me is beyond the technical material from the M.Sc . program. This thesis would not be here without h im. Thank you, Mark . I am grateful to Scott Hazelhurst and C a r l Seger for their assistance in using F L , and for many useful discussions and suggestions throughout the course of this research. M y second reader, Norm Hutchinson, has provided valuable comments for this thesis. Special thanks to Scott for being a friend, and for being there during the good and bad times. Thanks to Jeff Joyce and Nancy Day for taking the time to discuss H O L with me. Nancy took the time to generate a proof for the example in the User Manual using H O L as a comparison to my proof checker. Thank you, Sree Rajan, for the discussions on P V S and taking the time to verify the same proof in P V S . I would like to thank Jack Snoeyink for his guidance in my early days as a graduate student. Many thanks to Helene Wong, Xiaomei Han, Mohammad Darwish, and al l members of ISD lab for all the supports and encouragements. Chapter 1 Introduction Verification is an essential part of the design process. To ensure that a system is func-tionally correct, designers try to systematically capture requirements and show that they are satisfied. Formal methods can assist this process when the specification is amenable to mathematical formalization and practical techniques are available to carry out the proofs. In particular, this thesis examines the application of formal methods to the veri-fication of real-time systems. Specifications of t iming correctness can often be expressed using simple predicates that includes linear inequalities. These are readily expressed in precise and familiar mathematical notation. O n the other hand, the proofs that these requirements are satisfied are often lengthy. This thesis presents a proof checker that can be used to ensure the soundness of such proofs. The work presented in this thesis is motived by a manual proof constructed to ver-ify the t iming correctness of a high bandwidth communication protocol, S T A R I [16]. S T A R I (Self-Timed A t Receiver's Input) is a signaling technique for interchip communi-cation that combines synchronous and asynchronous design methods. Al though S T A R I is interesting in its own right, the manual proof is more tedious than it is profound, and its length makes it untrustworthy. Hand-written proofs often contain implicit assump-tions and unstated arguments. Bo th can lead to errors. Even stated arguments can be wrong. This motivates developing mechanized tools to verify such proofs. Examining the manual proof for S T A R I , it appears that only a few, simple proof techniques were employed which suggests that a simple proof checker could be written to certify such 1 Chapter 1. Introduction 2 proofs. To test this hypothesis, such a proof checker was written. A proof checker takes a proof as input, verifies each step of the proof and certifies the resulting proof. This thesis presents a proof checker designed to verify proofs of real-time properties. The remainder of the introduction includes a discussion on some techniques used to formulate proofs for verifying real-time properties and a survey on existing theorem provers. The chapter concludes wi th an overview of the thesis. 1.1 Verifying Timing Properties with the Proof Checker Many existing theorem provers are either extremely tedious and/or require skilled users. The thesis presented here is that a simpler proof checker, wi th a minimal set of inference rules, is powerful enough to verify correctness proofs for real-time systems. This proof checker, unlike many other tradit ional theorem provers which embed profound mathe-matical theories, is more accessible to engineers who are more interested in the result of the verification than the proofs involved. The fact that there is a simple mapping between the structures of proofs constructed from the proof checker and those of the manual proofs simplifies proof construction. The proof checker is domain specific. It is implemented to verify real-time properties in V L S I design. A decision procedure for linear inequalities is incorporated into the system for this purpose. A theorem prover takes a theorem statement as input, applies different inference rules, and outputs a proof. Often, the buil t - in inference rules correspond to fundamental axioms of mathematics, allowing the theorem prover to be used to develop a wide variety of theories. Automated application of these inference rules releases users from tedious reasoning, and allows them to focus on more high-level issues. Some theorem provers, which place emphasis on automation, have buil t- in heuristics to search through inference rules and decide which ones to apply for different scenarios. These theorem provers make Chapter 1. Introduction 3 multiple proof steps with minimal human interaction. Others, focusing on generality, require more human guidance. From a survey of existing theorem provers, it was noted that unpredictable output from inference rules can be frustrating in proof development. The proof checker described here avoids this problem because the user provides the expected result of each step. The use of a functional meta-language as the user interface to the proof checker makes this approach practical: the user does not have to repeatedly type enormous expressions; instead, functions can be written in the metalanguage to compute intended results and other inputs to the checker. Inference rules are only used to verify if the suggested output is a valid replacement of the preceding formula. This allows the user to control the exact structure output from an inference rule. This design decision eases the construction and manipulation of expressions, allows the user to locate the problem when a proof breaks down, and enhances the process of proof debugging. The proof checker contains functions which allow the user to define abbreviations for large expressions. The pretty-printer, when printing a formula, replaces large expressions with equivalent user-defined abbreviations. This avoids printing out large, incomprehen-sible expressions, and allows user to better understand the meaning of expressions instead of confusing them with uninformative details. Proof scripts can be written in modules that can be instantiated and reused. Thus if similar reasoning is required in various places in the proof, only one piece of 'code' needs to be constructed and similar arguments can be expressed as instantiations of this single module definition. In addition to reducing the tedium of proof construction, this also allows the proof to be structured hierarchically. When verifying t iming properties of V L S I designs, the system is modeled as a Syn-chronized Transitions program, and invariants are used to establish safety properties. A continuous model of time is employed: times are represented as real numbers, not Chapter 1. Introduction 4 integers. Unlike discrete models of time, no time interval can be overlooked. Real-time constraints are enforced by adding real-valued auxiliary variables, which are used for bookkeeping in the verification and not represented by wires or voltage in the implemen-tation. The same approach is presented in [11] where the auxiliary variables are called timers. 1.2 Theorem Provers The popularity of proof checking and theorem proving tools has increased as formal methods have come to play an increasingly important role in hardware design and verifi-cation. Exis t ing theorem provers are distinguished by the mathematical formalisms that they are based upon, the algorithms that are used to reason about these formulas, and the choice of batch-oriented versus interactive user interfaces. H O L [7], the Higher Order Logic system, was developed at Cambridge University in the early 1980's. It is an LCF-based [6, 12] 1 theorem prover for formal specification and verification in higher-order logic. The entire system is based on the five fundamental Peano axioms and the abstraction axiom; users typically extend the system wi th buil t- in decision procedures to suit the application. There are no pre-determined application-specific concepts built into the system. For these reasons, the system is general and flexible. However, for the same reason, the system requires highly skilled users to guide the proof. E H D M [22] and P V S [10, 22, 26, 27] were developed in SRI International at 1984 and 1991 respectively. E H D M uses a specification language based on typed higher order logic with a rich type system. The verification system includes a parser, pretty-printer, : L C F (Logic for Computable Functions) is an interactive reasoning tool which uses abstract data types to protect the soundness of theorems manipulated by the inference rules. Proof tactics or strategies are communicated to the system through a metalanguage (In the H O L system, M L is used as the metalanguage). Chapter 1. Introduction 5 type-checker, proof checker, and various documentation aids. The proof checker involved is not interactive; instead, it is guided by proof descriptions which are included as part of the specification text by the user. E H D M allows modularization of specifications which supports a form of hierarchical verification. P V S is an LCF-s ty l e theorem prover based on many of the concepts of E H D M . The P V S specification language has an even richer type system including dependent types and predicate sub-types. Decision procedures in P V S include arithmetic, equality, predicate calculus, and a simple form of temporal logic. The Boyer-Moore Prover [4] is a batch-oriented, heuristic theorem prover. The Boyer-Moore theorem prover deals with a subset of quantifier free first-order logic and consists of an ad hoc collection of heuristic proof techniques. Decision procedures are embedded into the system to increase its efficiency and predictability. To prove a theorem, the system assumes the negation of this theorem; in a series of simplifications, this negation is broken into a set of supposedly simpler formulas. Recursively the simplifier tries to write the hypotheses to non-F (a predicate not logically equivalent to the constant F a l s e ) by a form of backwards chaining. When the goal to be proven is not suitable for these techniques, this approach can spend large amounts of time failing to find a proof. This complicates the addition of new decision procedures [3]. Furthermore, a significant amount of tedious human effort can be required in the exploratory phase of proof development to find an ini t ia l decomposition of the theorem that is amenable to the prover's heuristics. The Larch Prover [13], like the Boyer-Moore Prover, deals with a subset of first-order logic and is based on equational term-rewriting. It does not employ heuristics to derive subgoals automatically. The Larch Prover was originally used to debug a specification or a set of invariants, therefore its focus is aimed at locating where and when a proof breaks down. The theorem prover works efficiently with large sets of large equations, however, the inference rules can yield huge expressions as a result. Chapter 1. Introduction 6 1.3 Verification Tools and Real-time Properties Several proof techniques have been developed to model real-time systems and verify their t iming properties using the theorem provers described in the previous sections. For example, the semantics of Durat ion Calculus has been encoded in the logic of P V S . Durat ion Calculus is an interval temporal logic for reasoning about real-time systems. This approach has been applied to a few small examples. For example, safety properties of a design of a leaking gas burner have been verified using this tool. [27, 26] The Larch Prover has been used to verify safety properties of circuits using invari-ants. The system to be verified is modeled as a Synchronized Transitions program [29]. Synchronized Transitions is a guarded command language, which is also used in the ap-proach presented in this thesis. (See section 4.3.) Protocols are used to capture essential properties of the transitions in the program. This approach can be extended to model real-time system as is explained in greater detail in Chapter 4. U N I T Y is a guarded command language based on an interleaving model of concur-rency. It has many features in common with Synchronized Transitions. In [8], it is shown how U N I T Y can be used to specify designs ranging from architecture independent pro-grams to architecture specific ones. This language has been used to specify a real-time design which was then verified by the Boyer-Moore theorem prover. [14] H O L - U N I T Y is an implementation of the logic for U N I T Y in the H O L theorem prover. U N I T Y programs and properties have been expressed in higher order logic in H O L [2]. In U N I T Y logic, there are two safety properties: unless and invariant and two progress properties: ensures and leadsto. A tactic for automating proofs of such properties was developed in H O L - U N I T Y . Al though the proof of the progress properties of the lift-control program presented in [2] does not involve real-time properties, it might be possible to extend this approach to reason about real-time properties using methods Chapter 1. Introduction 7 like those present in [14]. However, this would require a practical theory of the reals constructed from the H O L axioms. Researchers have explored ways of implementing a decision procedure for elementary real algebra in H O L . In [18], the difficulties of con-structing such a theory are described along with a solution. It explains how a theory rich enough to reason about polynomial inequalities can be implemented in H O L . W i t h a theory of elementary real arithmetic, H O L could be used to reason about t iming relations in real-time systems. Time separation of events in concurrent systems can be determined by modeling the system as a cyclic connected graph. A n ini t ia l graph is formulated wi th its nodes representing events and its arcs labeled wi th delay information. Tight upper and lower bounds for each event can be determined using an algorithm presented in [20]. This approach has been used to verify specific instances of S T A R I [19]. 1.4 Thesis Overview The remainder of this thesis explains the theory behind the proof checker and the ver-ification technique, and presents an example of how the checker is applied to verifying S T A R I . Chapter 2 describes how a proof is structured, presents the ten proof rules and two decision procedures in the proof checker, and presents arguments for their soundness (and thus the soundness of the checker). Chapter 3 describes the implementation of the checker and shows that it implements the specification presented in Chapter 2. Chap-ter 4 discusses the approach employed to model real-time systems and verify their t iming properties. The S T A R I example is presented in Chapter 5. Chapter 6 summarizes this investigation and suggests possible enhancements to the proof checker. Chapter 2 Proof Checker Specification A proof checker is a program that verifies the soundness of a proof. A proof is represented by a sequence of proof states that are manipulated by a small set of proof rules. The soundness of the checker depends only on the soundness of these rules. This chapter describes the structure of the proof checker and justifies the soundness of each proof rule. 2.1 Structure of the Proof Checker The proof checker is implemented as an L C F style theorem prover [12, 6]: proof states are represented by an abstract data type, and these states are created and manipulated by a small set of rules. A functional metalanguage allows the user to define other proof methods using the fundamental proof rules of the checker. B y protecting the proof state with an abstract data type, the soundness of a proof depends only on the soundness of the buil t- in rules and not on any machinery that the user may build on top of them. The checker verifies backward proofs. A proof is viewed as a tree: the claim is the root; edges are labeled by proof rules; and the leaves represent simple tautologies. The conjunction of al l the children of a node implies the node itself. A proof starts with the claim of the theorem as the one pending proof obligation to be discharged; proof rules are applied to reduce the claim into simple obligations that are decidable by the buil t- in procedures of the checker. Figure 2.1 shows an example of a proof tree. P is the claim to be proven, Q A R implies P by ru l e# l , and P is broken down into Q and R. B y rule#2, Q is rewritten as S, and by rule #3 and #4, S and R are verified to be tautologies. 8 Chapter 2. Proof Checker Specification 9 P rule #1 Q R rule #2 rule #4 s tautology rule #3 tautology Figure 2.1: A n example of a proof tree. A proof script defines a traversal of the proof tree. Such traversals can be in an arbitrary order starting from the root, which allows the user to choose the order in which obligations are maintained as a list. These obligations correspond to non-leaf nodes that have not yet been broken down into simpler obligations. Al though the tree structure is not explicitly represented by the proof state, it could be reconstructed from the sequence of proof rules in the proof script. 2.1.1 Proof State A proof state in the checker is composed of a claim, a hypothesis list, an obligation list, and a postponed list! • The claim is the main goal or theorem to be proven. This field associates the theorem to be proven with its proof. • The hypothesis list contains the hypotheses of the proof. These are stated at the beginning of the proof. No element can be added to or removed from this list once the proof is started. obligations are simplified and discharged. A t each step of the proof, the pending proof Chapter 2. Proof Checker Specification 10 • The obligation list is the list of pending proof obligations that must be discharged before the claim can be declared proven. Initially, this list contains exactly one element: the claim. The size of the list changes as obligations are broken down or discharged. The proof is complete when this list becomes empty. • The postponed list contains al l unverified assumptions made along the course of the proof. Initially, this list is empty. A n obligation can be moved to or removed from this list wi th the Postponement-rules described in Section 2.2.7. Moving a proof obligation to the postponed list is the only way a proof obligation can be discharged without actually proving it. When a proof is completed, al l obligations remaining on the the postponed list are printed, and it is the user's responsibility to verify them. Each proof state represents an implication: Mv.{Hyp(v) A Post(v) => Obl(y)), where Hyp(v) represents the list of hypotheses; Post(v), the list of objects being postponed; Obl(v), the list of obligations, and v is the set of variables over these three predicates. The pending obligations are implied by the hypotheses and the postponed objects. It states what remains in order to prove the theorem. Initially, a proof state contains one obligation, the claim. The hypothesis list gives the context of the proof and defines the variables that appear in the proof. A s mentioned above, the postponed list is ini t ial ly empty. Therefore, an ini t ia l proof state can be viewed as the implication, Vv.{Hyp(v) =>• Claim(v)). This is the theorem to be verified. The proof is complete when al l obligations are discharged and no postponed object remains on the postponed list. The last state of a proof gives the implici t implication of the form, Vv.(Hyp(v) A 0 =>• 0). A n empty list is equivalent to the boolean value True; accordingly, the implication above is logically equivalent to True. Chapter 2. Proof Checker Specification 11 2.1.2 Proof Rules There are two types of proof rules: discharge rules and replacement rules. Discharge rules verify that an obligation is a tautology and remove it from the obligation list. Replace-ment rules, after verifying that the replacement is sound, replace one or more pending obligations with one or more new obligations provided by the user. A replacement is sound if and only if the new proof state implies the old one. Replacement rules often substitute a set of old obligations with a new set, where the new set logically implies the old set, and leave the remaining elements of a proof state unchanged. The new obliga-tions are not required to be equivalent to the old obligations. Thus, the proof checker is conservative, i.e., failure to verify a proof does not imply the negation of the theorem. Using the notation introduced in the previous section, replacement rules can replace a set of old obligations with a set of new obligations only if the following holds: (W.(Hyp(v') A Post(v')) =• Obl'(v')) => (\fv.(Hyp(v) A Post(v)) Obl(v)) where Hyp(v), Post(v) and Obl(v) are the list of old obligations, the list of old postponements and the list of old hypotheses over the variable set, v, and Hyp'(v'), Post'{y') and Obl'(v') are the list of new obligations, the list of new postponements and the list of new hypotheses over the variable set, v'. The set of variables v and v' can differ, since new variables (i.e. skolem constants) can be introduced by the Skolem_rule . (See Section 2.2.4). We conclude that (W.(Hyp(v')APost'(v')) Obl\v')) =>> (Vv.(Hyp(v) APost(v)) => Obl(v)) holds throughout the course of a proof. We can extend this to view the entire proof as a sequence of implications: True Chapter 2. Proof Checker Specification 12 = Vvn.(Hyp(vn) A Postn(vn) True) = Vvn.((Hyp(vn) APostn(vn)) =• Obln(vn)) Vvn_i'.((Hyp(vn_i) A Postn_i(vn-i)) 06/„_i (v„_i) ) . = > • . . . • • ^V\.{{Hyp{vi) A Post{v\)) Obl{yi)) = Vvi.(Hyp(vi) =>• Claim(vi)). Thus, a complete proof establishes T r u e =>- (Vvi.(Hyp(vi) =>- Claim(vi))), which is the original claim. The user is required to provide the rewritten forms of pending obligations for replace-ment rules. This feature prevents surprises as to how obligations wi l l be rewritten and provides robustness to proofs. Sometimes, the exact form of an obligation is cri t ical to applying a proof rule. W i t h this feature, the user always knows the exact form of each expression. A s the system is enhanced, old proofs wi l l not break because expressions wi l l st i l l be rewritten to the same form. This feature also facilitates proof debugging. After correcting an error, the user can re-execute previously verified parts of the proof script in "gullible mode" where proof steps replace obligations quickly without checking for soundness. A n y proof states derived from proof rules executed in gullible mode are marked as untrustworthy. Thus, when the entire proof is debugged, it must be executed again wi th every step checked for the theorem to^be certified by the checker. 2.2 The Proof Rules and their Soundness This section presents the proof rules and gives justifications for each one. Appendix A .4 presents the syntax and usage of the proof rules. Chapter 2. Proof Checker Specification 13 2.2.1 Linear Programming Rule Linear programming is built into the checker to provide a decision procedure for systems of linear inequalities. In a real-time system, t iming constraints can be checked by this proof rule. Linear programming is also used to verify ranges in case analysis. Many arithmetic relations (or equalities) can be verified by linear programming as well. Linear programming [23] is a continuous optimization technique, typically with an uncountable number of feasible points. A feasible point in a system of linear inequalities is a point which satisfies each of the inequalities. A linear program is infeasible if no such point exists. In this implementation, the coefficients for linear inequalities are expressed as rational numbers. The existence of a feasible point implies the existence of a rational feasible point in the same system; therefore operations over the set of rational numbers are sufficient to determine a system's feasibility. Systems of linear inequalities are represented as sets of predicates. For example, x > z can be deduced from x > y and y > z. In this example, x > y, y > z, and x > z are viewed as three boolean predicates. The LP_ru le is used to reason about systems of the form a A b A c d, where a, b, c, and d are linear inequalities. (The number of inequalities in a system is not fixed.) We note that if d is a linear inequality, so is -<d. The conjunction of inequalities a A & A c A - > d i s a linear program which is feasible if and only if there is some assignment to the variables appearing in a, b, c, and -<d, such that al l four inequalities are satisfiable. Likewise, if the linear program is infeasible, then -i(a A b A c A -id) is a tautology (i.e. it holds for al l assignments of the variables appearing in the inequalities), and (a A&Ac) d can be discharged. Discharging an obligation can be expressed in the notation we introduced earlier as follows. The proof state: s = (Vv.(Hyp(v) A Post(v)) => Obl(v)) where Obl(v) = Oi(v) A 02(f) A • • • A 0i(v) A • • • A on(v), and Chapter 2. Proof Checker Specification 14 Oi(v) = the clause to.be discharged. can be rewritten as s' = (Vv.(Hyp(v) A Post{v)) => Obl\v)) where Obl'(v) = Oi{v) A o2(v) A • • • A Oi-i(v) A oi+i(v) A • • • A on(v) after 0j(u) is verified to be a tautology. W i t h the same reasoning given in Section 2.1.2, it can be seen that s' =>• s since Obl'(v) Obl(v) (in this case, Obl'(v) is logically equivalent to Obl(v)). 2.2.2 Predicate Calculus Rule Boolean manipulation is essential in constructing proofs. It allows reasoning in a subset of first order logic. The PCLrule takes a list of obligations ([a, 6, c]) and replaces it wi th another list of obligations ([ti, e]), upon verification that (d A e) =^ (a A b A c) is a simple tautology. The list of replacement predicates can be empty in which case the original obligations are discharged if their conjunction is a simple tautology. The soundness of the PC_rule can be justified in the following fashion. Note that the obligation list represents a conjunction of obligations. Since conjunction is commutative and associative, the order of the obligations in the list is not significant. Therefore, without loss of generality, 0i(v) • • • oi+m(v) are selected to be the old obligations to be replaced. Consider a state s of the form s = Vv.{Hyp(v) A Post(v) =>• Obl{v)) where Obl(v) - Oi(v) A o2(v) A • • • A 0i(v) A • • • oi+m(v) A • • • A on(v). Soundness requires that the successive state implies the current state. The proposed successive state, s', is of the form Chapter 2. Proof Checker Specification 15 s' = Vv.(Hyp{v) A Post(v) Obl'{v)) where Obl'(v) = Oi(v) A o2{v) A • • • A o'^v) A • • • A o i + m A • • • A on(w) such that (o'iiv) A • • • A o - + r r » ) =^ (oi(w) A • • • A o i + m ( v ) ) . The new list of obligations is inserted in place of the old obligation with the lowest index. W i t h some boolean manipulation, we can see that s' =$> s given that the two predicates are quantified over the same set of variables. Since no new variables are introduced by the PC_rule , the implication holds, and therefore the rule is sound. 2.2.3 I n s t a n t i a t i o n R u l e The I n s t a n t i a t e _ r u l e provides a way to extract specific cases from universally quanti-fied expressions. It provides arguments of the following form: A l l As are B C is an A Cv&B. It discharges obligations of the form Vz./(z) => /(fc), where is a constant. This proof rule is often used after retrieving a hypothesis (or hypotheses). It can also be used to replace an existentially quantified obligation with a suitable witness. The justification for the rule is equivalent to that presented in section 2.2.1 for linear programming as both discharge tautologies. 2.2.4 S k o l e m i z a t i o n R u l e The Skolem_rule is symmetric to the I n s t a n t i a t e _ r u l e . It provides arguments of the following form: Chapter 2. Proof Checker Specification 16 A is B A can be anything everything is B. This rule is often used to remove quantifiers from an expression. Wi thou t quantifiers, the expression is built up from linear arithmetic predicates and atomic formulas using simple logical connectives, where reasoning can be done wi th the other nine proof rules. Universal quantifiers, in this checker, are always over al l integers. Existentially quantified expressions 3i.P(i) can be defined as - i V i . - i P ( i ) and manipulated by the Instantiate.rule and the Skolem_rule as universally quantified expressions. In this ap-proach, the Skolem_rule provides an existential witness given an existentially quantified predicate, and the Instantiate.rule discharges an existentially quantified obligation given an instance. The concept behind skolemizing a universally quantified expression is to choose a constant which can be of any arbitrary value to substitute the quantifier [17]. This constant is called a skolem constant. To avoid clashes between the representation of a skolem constant and previously defined variables, the skolem constant cannot be a free variable in the target obligation, or any of the hypotheses on the hypothesis list. It is sufficient to check the target obligation and the hypothesis list for free variables. In our notation, skolemizing an expression is viewed as moving the universal quantifier to the outermost scope. First , consider a state wi th an empty postponed list and an obligation. We claim that Vz.(Hyp(z) => Vx.p(x, z)) = Vjx.Vz.(Hyp(z) =4- p(jx,z)) provided that JX and z are disjoint. This shows that it is necessary to examine the hypothesis list for the free variable JX while skolemizing S/x.p(x, z). Chapter 2. Proof Checker Specification 17 To justify the need to examine the target obligation for colliding free variables, con-sider the state Vz.(Hyp(z) =>• (Vx.Vy.p(x, y, z))). Vz(Hyp(z) (yx.Vy.p{x, y, z))) = V.x.Vz.{Hyp{z) {Vy.p{jc,y,z))) It would be illegal to move the quantifier y to the outer scope using the same skolem constant, -X, since V.x.\/_x.Vz.(Hyp(z) =4- p(-x, ~x, z)). = \/-X.Vz.(Hyp(z) =$> (Vx.p(-x,-X, z))) ^ Vz(Hyp(z) => (Vx.Vy.p(x,y,z))) Now, consider a state with two obligations. Vz.(Hyp(z) ((yx.p(x,z)) A (Vy.qfaz)))) = (yjx.\/z.{Hyp{z) p(_x, z))) A (V.y.Vz.(Hyp(z) q(jy, z))) = (V.x.Vz.(Hyp(z) p(_x, z))) A (y.xNz.{Hyp(z) => 2))) = si-x!iz.{Hyp{z) (p(~x, z) A q(-x, z))) This shows that using the same skolem constant for two separate obligations is a legal operation in the proof checker. Note that the postponed list serves as a buffer to hold obligations that are not in focus at the current step. This list is introduced for the convenience of users of the proof checker, and it is not necessary to distinguish the contents of this list from those of the obligation list when reasoning about logical soundness of the proof checker. (See Section 2.2.7). Consider a proof state, Chapter 2. Proof Checker Specification 18 s = Vv.(Hyp(v) A Post{y) => OMf») where 0M(r;) = oi(v) A o 2 (v) A • • • A (V_2.P(_z)) A • • • A o n (v) . Apply ing the Skolem_rule produces s' = Wv'.(Hyp(v') A Post(v') => OfcZ'(v')) where Obl(v) = 0i(v) A 02(f) A • • • A P ( - z ) A • • • A o n ( f ) . »' = l )U _2. This transformation is sound given the reasoning above, because the hypotheses and the set of variables appearing in these hypotheses (a subset of v) do not change. 2.2.5 Induction Rule Mathematical induction provides another way to reason about universally quantified assertions. Given an assertion P(k) that is universally quantified over the integer variable k, we do three things to prove it by induction. Prove that the base case, P(b), is a tautology. Then, prove that given that the expression holds for cases from b to n, (where n > b) P(n + 1) holds too. We call this inducting up. The final step is to induct downwards by proving that cases b down to n imply P ( n — 1) (where n < b). This is called strong induction. A s opposed to weak induction, the induction step is implied by all previous cases. Strong induction is equivalent to weak induction [9]. The I n d u c t i o n _ r u l e takes a universally quantified obligation, Vz .P ( i ) , and breaks it into three clauses: 1. The base case, P(base). 2. Induction step going upwards, Vn.(n > base) A (Vi <E {base, n - l } . P ( i ) ) P(n), where i and n are not free variables in P . Chapter 2. Proof Checker Specification 19 3. Induction step going downwards, Vn.(n < base) A (Vi € {n + 1, base).P{i)) P(n), where i and n are not free variables in P . We claim that the conjunction of these three clauses is logically equivalent to the ini t ial obligation. Therefore, the replacement is sound. Consider a state s. . s = \/v.{{Hyp{v) A Post{v)) =>• Obl(v)) where Obl(v) = Oi(v) A o2(v) A • • • A 0{(v) A • • • A on Given that o[ A o'2 A 6Z <<=>• Oi(v), s' = Vv.((Hyp(v) A Post(v)) Obl'{v)) where Obl'(v) = 0\{v) A o2(v) A • • • A o'^v) A o'2(v) A o'3(v) A • • • A on is logically equivalent to s by the reasoning given in Section 2.1.2. 2.2.6 D e f i n i t i o n R u l e In any proof, there is a set of hypotheses which gives the context of the proof and defines the variables that appear in the proof. The Def i n i t i o n _ r u l e takes a hypothesis, H, from the hypothesis list and rewrites an obligation, 0, as H 0. Soundness of this rule is shown as follows. Consider states s and s'. s = Mv.({Hyp(v) A Post{v)) => Obl(v)) s' = Vv.((Hyp(v) A Post(v)) Obl\v)) where Hyp(v) = hi(v) A • • • A hi(v) A • • • A hn(v), Obl{y) = Oi(v) A o2(v) A • • • A Oj(v) A • • • A o m , and Obl'(v) = Oi(v) A o2(v) A • • • A (hi(v) Oj(v)) A • • • A om. Chapter 2. Proof Checker Specification 20 It can be shown by simple predicate calculus that s and s' are logically equivalent, since all variables within the two expressions are within the same scope. 2.2.7 P o s t p o n e m e n t R u l e s The set of Postponement-rules increases the flexibility of proof checking. It allows the user to discharge an obligation without verifying it wi th the buil t - in proof rules when the required reasoning is outside the scope of the proof checker. When the prove is done, a list of such obligations is produced, and it is up to the user to verify them using other methods. The Postponement_rules also provide a lemma mechanism. When a lemma appears more than once in a proof, the lemma can be moved to the postponed list. The lemma can be retrieved from this list each time it is needed. After the last use, the postponed lemma can be moved back onto the obligation list to be discharged wi th one sequence of proof steps. These rules can be used when sketching out basic structures of proofs. Tedious proof steps can be left unjustified unti l the exact components of a proof are formulated. Note that the content of the postponed list requires verification given the hypotheses. Each postponed object in the list is tagged wi th a name. A n obligation is tagged with a name before it is put onto the list, and these 'lemmas' are referenced by names instead of indices. The rules for manipulating the postponed list are described below: R u l e # 1 discharges an obligation by moving it to the postponed list. The user provides a name wi th which to tag this obligation; The rule moves the obligation from the obligation list to the postponed list if the name is not already used or if the obligation implies the postponed object with the same name. If there is an object on the postponed list wi th the same name, and this object implies the obligation, then the obligation is removed from the obligation list and the postponed list is Chapter 2. Proof Checker Specification 21 unchanged. If the name refers to a postponed object and neither of the relations hold, the rule fails. The soundness of this rule is presented for each case separately. For the case where the proposed name does not exist in the postponed list, consider the following state: 5 = \/v.(((Hyp(v) A Post{v)) => Obl(v)) A (Hyp(v) => Post(v))) where Obl(v) = (oi(v) A o2(v) A • • • Oi(v) • • • A on(v)), and Post{y) = ijpiiy) Ap2(v) A • • • Apj{v) A • • • Apm(v)). Apply ing this rule produces the state: s' = \/v.(((Hyp(v) A Post'{v)) Obl'iy)) A (Hyp(v) =>• Post'(v))) where Obl'(v) = o\(v) A o2(v) A • • • A Oj_i(v) A oi+i(v) A • • • A on(v), and Post'{v) = Oi{y) Apx(v) Ap2(v) A • • • Apm(v). If Pj(v) is an object on the postponed list with the proposed name and Oi(v) =>• Pj(v), then s = Vv.(((Hyp(v) A Post(v)) => Obl(v)) A {Hyp(v) => Post(v))) where Obl(v) = (oi(v) A o2(v) A • • • Oi(v) • • • A on(v)), and Post(v) = (j>i{v) Ap2(v) A • • • A pj(v) A • • • Apm{v)). Apply ing this rule produces the state: s' = Vv.(({Hyp(v) A Post'{v)) =4> Obl\v)) A (Hyp(v) =>• Post'{v))) where Obl'(v) = 0\(v) A o2(v) A • • • A Oi-i(v) A oi+i(v) A • • • A on(v), and Post'(v) = Oi(v) A Pi(v) Ap2(v) A • • • Apj-^v) Apj+1 A • • • Apm(v). If Pj(v) is an object on the postponed list wi th the proposed name and Pj(v) ^ Oi(v), then s = Vv.(({Hyp(v) A Post{v)) => Obl(v)) A {Hyp{v) Post{v))) where Obl(v) = (oi(v) A o2(v) A • • • Oi(v) • • • A on(v)), and Post(v) = (pi(v) Ap2(v) A • • • A pj(v) A • • • Apm(v)). Chapter 2. Proof Checker Specification 22 App ly ing this rule produces the state: s' = Vv.({(Hyp(v) A Post'(v)) Obl'(v)) A (Hyp(v) =» Post'(v))) where Obl'{v) = oi{v) A 02(1;) A • • • A Oi-i(v) A oi+i(v) A • • • A o n (v) , and Post'(v) = A p2(v) A • • • A P j - i ( ^ ) A A • • • A pm(v). In al l three cases, s and s' are logically equivalent and the replacement preserves the required state implication described in section 2.1.2. R u l e #2 retrieves a pending lemma from the postponed list. It takes a postponed object, P , from the postponed list and rewrites an obligation, O, as P => O. Consider state s: . s = y(((Hyp(v) A Post{v)) =$> Obl{v)) A ((Hyp(v) =4> Post(v)))) where Obl(v) = (oi(f) A o 2 (v) A • • • Oi(v) • • • A o n(t;)), and Post(v) = 6 p 2(» A • • • A A • • • A p m(»)-Apply ing this rule produces the state: s' = V(((Hyp(v) A Post(v)) Ofc/ ' (») A ((Hyp(v) =• Post(v)))) where Obl'{y) = oi(v) A • • • A O i_ i (v ) A (/>j(u) Oi(tv)) A Oi+i(i>) A • • • A on(?;).• s and 5 ' are equivalent by simple boolean manipulation. R u l e #3 moves a postponed object from the postponed list back onto the obligation list. Consider a state s: s = Vv.(({Hyp(v) A Post(v)) =>- Obj{v)) A (Hyp(v) Post(v))) where Obl(v) = (oi(i>) A o2(v) • • • A o n (v)) , and Post(v) = (pi(v) A p 2(v) A • • • A pj(v) A • • • A pm(v)). Apply ing this rule produces the state: s' = Vv.(((Hyp(v) A Post'(v)) => Obl'(v)) A (Hyp(v) => Post'(v))) where Obl'(v) = Pj(v) A OI(TJ) A o2(y) A • • • A o n(t;), and Post'(v) =Pi(v)Ap2(v) A • • -Pj-i(v) Apj+1r\pm(v). Chapter 2. Proof Checker Specification 23 This is the inverse of ru l e# l . It is essential that the context of an obligation does not change after being moved back and forth from the postponed list and the obligation list. The simple checker maintains a constant hypothesis list and does not introduce the concept of scoping (i.e. all expressions are in the same scope); thus, the proof checker can postpone and retrieve obligations without changing the meaning of these obligations. 2.2.8 Equality Rule The EQ_rule allows two expressions to be used interchangeably in any expression, given that they represent the same value. This rule allows the user to interchange a's and 6's in expressions like (a = b) =>• / ( a , b). The replacement obligation is identical to the original obligation except that some a's are replaced by 6's and vice versa. The replacement and the original obligation are equivalent by substitution. Apply ing the EQ_rule to state s, where s = Vv.((Hyp(v) A Post{v)) => Obl(y)) where Obl(v) = Oi(v) A • • • A Oi(v) A • • • A on yields state s', where s' = Vv.((Hyp{v) A Post(v)) => Obl'{v)) where Obl'(v) — 0\{y) A • • • A o\{y) A • • • A on s' is equivalent to s by the claim that Oi(v) and o\(v) are logically equivalent. 2.2.9 If Rule The IF_ ru l e is a replacement rule. It rewrites expressions of the form ( i f True then a e l s e b) to a, and expressions of the form ( i f False then a e l s e b) to b. It simplifies Chapter 2. Proof Checker Specification 24 boolean expressions once the conditions of the ( i f ... then ... else ...) constructs are evaluated to be a boolean constant (True or False). This rule applies simple replacement to logically equivalent obligations, therefore can be justified by the reasoning given in the previous section for the EQ_rule. Note that expressions of the form ( i f P then x else x) can be rewritten into x. The IF_rule does not directly support simplification of this form. However, obligations of this form can be simplified by first performing case analysis using the PCLrule to rewrite the expression into two clauses: (P = True) =>• ( i f P then x else x) and (P = False) ( i f P then x else x). Then, the EQ_rule can be used to simplify the two clauses into ( i f True then x else x) and ( i f False then x else x) respectively. These two clauses can then be rewritten into x by the IF_rule. Finally, the two identical obligations can be combined into one using the PC_rule. 2.2.10 Discrete Rule The D i s c r e t e _ r u l e is based on the discreteness of integers. It discharges obligations of the form (x > y) = (x > (y + 1)) or (x < y) = (x < (y — 1)) given that both x and y are integers. The justification of this rule is the same as the other discharge rules as was presented in section 2.2.1. 2.3 Conclusion The chapter has presented the ten proof rules which form the core of the proof checker. As shown in chapter 5, this small set of proof rules is sufficient to verify significant real-time systems. Chapter 3 Implementation of the Proof Checker The previous chapter gave a specification for a proof checker. This chapter presents the functions and procedures that implement this specification and is structured to closely parallel the specification. Sections 3.1 and 3.2 in this chapter correspond to Sections 2.1.1 and 2.1.2 in the previous chapter; they describe the structures of the proof checker and proofs constructed by this checker. The proof checker is implemented in F L , the func-tional interface language of the Voss [25] hardware verification system. F L provides an efficient implementation of Ordered Binary Decision Diagrams [5] which makes boolean manipulation simple. To support reasoning about systems of linear relations, the au-thor added an implementation of the simplex method for linear programming to F L . Section 3.3 gives a detailed explanation of the implementation of the simplex method, and how it is incorporated into Voss. Section 3.4 presents the implementation of the ten proof rules in the same order as that of the specifications in Section 2.1.2 of the previous chapter. 3.1 Abstract Data Type for Proof State Proof states are encapsulated in an abstract data type, state. States are quadruples built wi th the constructor STE (See Section 3.2). The constructor STE is only defined within state, this ensures that states are only constructed by the proof rules presented in this chapter. The four fields in a state are: the obligation list (type boolean l i s t ) , the postponed list (type postpone l i s t ) , the hypothesis list (type boolean l i s t ) , and the 25 Chapter 3. Implementation of the Proof Checker 26 claim (type boolean). Type postponed is denned as the constructor, post, followed by the boolean expression to postpone, and an identifier to reference to it (i.e. post boolean string). The type boolean is distinct from the buil t- in FL- type bool. Constructors are included for creating variables and arrays, for the standard boolean operations (And, Or, Not, etc.) and for comparisons of integers and reals. The structure of the type boolean is described in detail in Appendix A . Proof states cannot be constructed or modified outside the abstract data type; how-ever, there are four functions to read the fields of the data type: • (getclaim state) returns the claim of the proof from the given proof state. • (gethypothesislst state) returns the list of hypotheses from the given proof state. • fgetpostponelst state) returns the list of postponed objects from the given proof state. • ( g e t o b l i g a t i o n l s t state) returns the list of obligations from the given proof state. 3.2 The Proof Rules and some Implementation Techniques Every proof rule provided by the proof checker takes a list of old obligations and a list of new obligations together wi th some auxiliary information for the particular rule. Then it either makes the appropriate replacement or fails wi th an error message if the proposed replacement is not valid. In most cases, the old obligation list is a singleton. A s described in the previous chapter, discharge rules have empty new obligation lists. In the case of a discharge rule, a singleton list is replaced by an empty list. Replacement rules, on the other hand, have one or more elements in the new obligation list. In this case, one or more old obligations are replaced by the new obligations. Chapter 3. Implementation of the Proof Checker 27 Elements of the hypothesis and obligation lists are accessed by indexing. Given the index (an integer) of the element in the list, the desired element is retrieved. A l l rules, except PC_rule , take a singleton old obligation list. The function app ly is used in the implementation of al l these rules, ( app ly / n 1st) looks up the n t h element in the obligation list, 1s t , applies the function f to this obligation to verify if the suggested resulting list proposed by the user is a valid replacement, then replaces the n t h obligation by this list. W i t h this structure, there is one core function per proof rule and this function is called by app ly to validate the replacement. Several features of F L are used extensively in the checker. F L is a functional language; accordingly, many auxiliary functions are recursive. Pattern matching is often used to enumerate cases according to the type constructors. The next three sections describe some of the functions implemented using these techniques, what it means for a rule to fail and explain how a concrete type is defined on top of the core F L types. 3.2.1 Denning the Concrete Types Concrete types are types defined on top of the three F L types ( i n t , s t r i n g , and bool ) . These types are defined by a set of constructors, which can be constants or functions. For example, an i n t e g e r is declared as l e t t y p e i n t e g e r = const i n t ; I s t r i n g ; i _a r r ay s t r i n g i n t e g e r ; ++ i n t e g e r i n t e g e r ; — i n t e g e r i n t e g e r ; ** i n t e g e r i n t e g e r ; i _ i f boolean i n t e g e r i n t e g e r ; const , I, i _a r ray , ++, — , **, and i _ i f are constructors of the type i n t e g e r . These constructors take arguments of various types to produce objects of type i n t e g e r . In the proof checker, integers are represented symbolically, and these constructors build the Chapter 3. Implementation of the Proof Checker 28 data structures that represent expressions. Other functions i n the proof checker are used to perform operations on these expressions. See Figure A . 12 for descriptions of other concrete types. 3.2.2 Pattern Matching As concrete types are made up of various constructors followed by some defined types, pattern matching is frequently used when writ ing expressions. A s an example, consider the function e v a l which converts an expression of type boolean into an F L b o o l . A n F L b o o l is represented by a B D D ; this representation supports efficient manipulation of boolean expressions, for example, to implement the PC_rule . The following shows a few lines from this function: letrec eval True — T ' / \ eval False = F / \ eval (bool s) = (variable s) / \ eval (Not 6) = (NOT (eval b)) / \ eval (And bl 62) = ((eval 61) AND (eval 62)) / \ eval (b-array s n) — (eval (bool (prBool (b-array s n)))) / \ eval ('> rl r2) = (eval (bool (prBool (rl ' > r2)))) / \ eval (forall n 6) = (eval (bool (prBool (forall n 6)))) / \ The function traverses an expression tree, converts variables, inequalities, and universally quantified expressed into B D D nodes, and creates a B D D corresponding to the expression. In this example, pattern matching is also used to define a recursive function; terminal and non terminal calls are distinguished by the type constructor associated with the argument. Many other functions in the checker are implemented with the same technique. For example, the functions r e p l a c e B o o l , r e p l a c e l n t , and r e p l a c e R e a l replace all occur-rences of a boolean, integer, or real valued subexpression respectively by another expres-sion of the same type. Implementations of these functions traverse an expression tree by Chapter 3. Implementation of the Proof Checker 29 pattern matching, compare each leaf with the subexpression to be replaced, and apply the replacement to the matching subexpressions. 3.2.3 Failures A proof rule fails when it cannot perform the requested discharge or replacement. Instead of returning the result, the core function for the proof rule generates an F L failure, ( e r r o r msg), where msg is the error message for the failure. A n F L failure can be trapped by the function ca tch : (el c a t ch e2) evaluates to e l unless e l causes a failure, in which case the expression is evaluated to e2. For example, the expression let s = (app ly_ru le state) / \ s'= ( app ly_ru le state') in (apply_ru le s) c a t c h (app ly_ru le s') evaluates to s if app ly_ ru l e successfully performed the request with the input state, and evaluates to s' if it failed. 3.3 Linear Programming Simplex is used in the proof checker as a decision procedure for linear programs, i.e. systems of linear relations. This implementation uses simplex to determine the feasibility of a given set of relations rather than generating an optimal solution to some cost function. If a problem is infeasible, this procedure simply returns "infeasible", whereas, if the problem is feasible, a feasible solution can be exhibited as a counter example to the LP_ru le . Chapter 3. Implementation of the Proof Checker 30 \ A. 2x - y = 4 Figure 3.2: A system of linear relations. 3.3.1 S i m p l e x M e t h o d The simplex method, described by Papadimitr iou and Steiglitz [23], was implemented to determine the feasibility of a given linear program. The simplex method takes a tableau in standard form and returns an example feasible solution for each feasible set and simply returns "infeasible" for infeasible sets. A s an example, consider the following set of linear equations (See figure 3.2): A. B C. 2x - y < 4 2x + y > 10 x + y < 9 S t a n d a r d F o r m A system of the following form mm ex Ax = b x>0 Chapter 3. Implementation of the Proof Checker 31 is said to be in standard form. Programs with arbitrary inequalities (<, <, 7^ , =, >, >) can be transformed into standard form. First , consider the general case with > and < relations and unconstrained variables. A > relation can be rewritten into standard form by introducing a surplus variable. For example, n ^ ^ a^jXj ^ b{ j=i can be rewritten as n ~ ^ ^ &ijXj Si — bi Si > 0 where Si is called a surplus variable. A < relation can be rewritten into standard form in a similar way by introducing a slack variable. For example, n ^ ^ aijXj ^ bi 3=1 can be rewritten as n ^ ^ &ijXj ~\- Si — bi j = l S I > 0 where Si is called a slack variable. A n unconstrained variable Xj can be split into xj and xj where Rep-resenting Xj in terms of x^ and xj replaces one unconstrained variable by two constraint variables. unconstrained(xj) =^  Xj = x^ — xj xi > 0 xj>0 Chapter 3. Implementation of the Proof Checker 32 After translating a tableau from a general form into standard form as above, the simplex method can solve the system wi th >, <, and =. For example, the system A. 2x - y < 4 B. 2x + y> 10 C. x + y < 9 (x > 0) can be transform into a standard tableau by introducing two split variables, y+ and y~ to replace the unconstrained y, two slack variables, and one surplus variable. The resulting tableau has nine constraints and six variables. +y~ +S3 — 4 -y~ -82 - 10 -y~ +si = 9 X > 0 y+ > 0 y > 0 Sl > 0 S2 > 0 S3 > 0 Artificial Variables and Basic Feasible Solutions Consider a linear program with n variables and m constraints. Typically, n > m, and if the linear program is feasible, the feasible region is an n dimensional convex polytope. It can be shown that at each vertex of the polytope, at least n — m variables have value zero. In the simplex algorithm, vertices are identified by the choice of the other m variables. The values of these variables can be determined by solving the system of linear equations. This is called a basic feasible solution (or a B F S ) . If more than n — m variables are zero at some vertex, that vertex is said to be degenerate, and it has more than one representation in the simplex algorithm. Chapter 3. Implementation of the Proof Checker 33 For an optimization problem, a linear cost function assigns a cost to each point in the feasible region. It is straightforward to show that the minimum cost is achieved at some vertex of the polytope. The simplex method starts from one vertex of the polytope and moves from one vertex to another unti l it finds an optimal solution. These moves are called pivots. To start the pivoting process, a B F S must be identified. To find an ini t ia l B F S , artificial variables are introduced. One new variable is intro-duced for each equality of the original standard form problem. Each of the equalities can be satisfied by setting the corresponding artificial variable to the appropriate value and setting al l of the original variables to zero. This constructs a B F S for the linear program with artificial variables. Using the sum of the artificial variables as a cost function, the simplex algorithm searches for a vertex where al l of the artificial variables are zero. If such a vertex is found, it corresponds to a solution to the original program. If no such vertex exists, the original problem is infeasible. In the implementation used in the proof checker, the steepest descent policy is used to select the pivot. The pivot column is selected by j = mm{j : Cj < 0} where Cj corresponds to the marginal cost of bringing variable j into the tableau. The pivot column is selected by B(i) — min{B(i) : Xij > 0 and — < for every k with Xkj > 0} Pivot ing corresponds to moving along an edge of the polytope. The end of the edge is identified by one of the constraints (on variables being > 0) becoming tight. Moving from vertex v to vertex u, a variable that was in the basis at v is zero at u. This variable is identified by the choice of i. In the case of degeneracy, the cost, 2, may not decrease, even though a column j with (CJ — Zj) < 0 is selected. Furthermore, it is possible for the algorithm to return to a Chapter 3. Implementation of the Proof Checker 34 previous B F S and loop indefinitely. To avoid cycling, the Bland's anticycling algorithm is used after every zero-improvement pivot. The column to enter the basis is selected by j = min{j : Cj - Zj < 0} and the row by the same formula as that of the steepest descent algorithm, B(i) = m'm{B(i) : x^ > 0 and — < for every k wi th Xkj > 0} Xij %kj Since the number of vertices is finite, and the cost is monotonically decreasing without cycling, this algorithm wi l l terminate. There are three possible cases after this cost function is minimized: • case 1: the cost, z, is zero, and all artificial variables, xf, are driven out of the basis =4> a B F S to the original problem is found. • case 2: at optimality the cost, z > 0 => the original problem is infeasible. • case 3: z is reduced to zero, but some artificial variables remain in the basis at zero level. In Case 3, one additional pivot is required for each artificial variable remaining in the basis to produce a basis consisting only of variables from the original problem. After driving out al l zero-level artificial variables, there is a basic feasible solution for the original problem. This solution wi l l be referred to as B F S B hereafter. The only way this can fail is that a row is zero in al l the columns corresponding to non-artificial variables. This means the original problem is not of full rank (i.e. the row is implied by other rows in the system). In this case, this row can be removed from the system. Chapter 3. Implementation of the Proof Checker 35 3.3.2 S t r i c t I n e q u a l i t i e s (> a n d <) The simplex method, described in Section 3.3.1, solves linear programs wi th relations >, <, and =. Al though strict and non-strict inequalities are indistinguishable in typical numerical programming, considering the application of this implementation, theorems may be stated with tight bounds, in which case the difference is significant. In the proof checker, simplex is implemented using exact rational arithmetic which allows strict inequalities to be distinguished. Given inequalities with > or < relations, the program must be converted to standard form before applying the simplex algorithm. To handle > and <, we introduce a variable e and write as £ ^ - e = b e > 0 and J2ai < b as J2 ^ + e = b 6 > 0. The simplex algorithm is used to find a feasible point that minimizes — e. If e > 0 at this point, then the original program with a strict inequality was feasible; otherwise, the original program was infeasible. If there is more than one strict inequality, the same e is introduced to al l inequalities to transform these inequalities to equalities. Then an attempt is made to minimize —e and conclude feasibility as soon as e becomes greater than zero. The feasible solution resulting from this stage is referred to as B ' in later references. Chapter 3. Implementation of the Proof Checker 36 A geometric interpretation of e is the distance moving towards the interior of the poly tope from the boundary. If there is a feasible solution wi th e > 0, that means there is a point satisfying al l constraints but the point does not lie on the >- or <-constraints. Consider the linear system A. 2x - y < 4 B. 2x + y > 10 C. x + y < 9 (x > 0) W i t h the introduction of slack and surplus variables together with e, the resulting system is: . 2x -y+ 2x +y+ x +y+ +y~ +S3 — 4 -y~ 10 -v~ +si +e — 9 x > 0 y+ > 0 y > 0 Sl > 0 S2 > 0 S 3 > 0 € > 0 3.3.3 Not-equal-to Relations (=f) Let P be the feasible polytope for the program when not-equals-to relations are ignored. A not-equals-to relation excludes points that lie on the hyperplane defined by the cor-responding equals-to relation. If this hyperplane does not intersect P , then a l l points in P satisfy the not-equals-to relation. If this hyperplane contains P, then the original program is infeasible. Finally, if the hyperplane intersects P but does not contain P , then the intersection of the hyperplane wi th P is of dimension one less than the dimen-sion of P . In this case, almost all points in P satisfy the not-equals-to relation, and any remaining not-equals-to relations can be considered independently (because the number of not-equals-to relations is finite and therefore countable). Chapter 3. Implementation of the Proof Checker 37 In the proof checker, the feasible polytope is never explicitly constructed. Instead, a B F S is found for the program when not-equals-to relations are ignored. Let B be such a B F S . Now, the not-equals-to relations can be considered one at a time. If B satisfies the relation, then the infeasible hyperplane of the relation does not contain B and therefore it does not contain al l of P. O n the other hand, if B is in the infeasible hyperplane, then the implementation pivots to find a B F S that is above or below this hyperplane. If no such B F S is found, then the original program is infeasible. If a suitable B F S is found for every not-equals-to relation, then the original program is feasible. B y examining one not-equals-to relation at a time, an exponential problem is avoided. A n exponential number of linear programming problems would be generated, if both the below and above cases for each not-equals-to relation is considered at the same time. The implementation described above solves at most one linear programming problem per not-equal-to relation. 3.3.4 Special Cases There are a few special cases which are not resolved by the methods described above. • A l l zeros row: — If a linear program has a constraint of the form 0 ^ Ox, 0 > Ox, or 0 < Ox, then the program is infeasible. - A constraint of the form 0 < Ox, 0 = Ox, or 0 > Ox is tr ivial ly satisfied everywhere and can be deleted from the linear program. • A linear program with only not-equals-to relations is feasible as long as none of these are of the form 0 ^ Ox. Figure 3.3 shows the pseudocode for the implementation of linear programming. Chapter 3. Implementation of the Proof Checker 38 standardize tableau (check for special cases) rewrite > and < constraints, introduce e move 7^  constraints to the unresolved list introduce artificial basis call simplex with cost z = £ x ° ( B F S : B) (without pivoting on e column) if zopt > 0 then return infeasible if an artificial variable is in the basis and cannot be driven out then omit corresponding row for each element on the unresolved list { if B satisfies this constraint then remove the constraint from the unresolved list update e column for > and < constraints } call simplex wi th cost —e ( B F S : B ' ) if cannot find feasible solution B ' then return infeasible for each unresolved element on the unresolved list{ / * pivot to find point satisfying the relation * / add element to system as < if feasible then continue add element to system as > if feasible then continue return infeasible } return B F S . Figure 3.3: Pseudocode for Linear Programming. Chapter 3. Implementation of the Proof Checker 39 3.4 Implementation of Proof Rules This section describes the implementation of the ten proof rules in a similar format as in Section 2.1.2 from the previous chapter. This section emphasizes implementation issues. For detailed usage of the proof rules, refer to the User Manual in Appendix A . 4 . Each rule is summarized by a table. The field Syntax describes how to apply a rule to a proof state. It lists the arguments in the order in which the function is called. T y p e indicates whether the rule removes an obligation from the obligation list (discharge rule) or replaces the obligation with an expression that implies the old obligation (replacement rule). The Expected Structure is the general form of the obligation to be discharged or replaced. The Arguments section provides an explanation for each argument required by the function. The Functionality section describes the typical use of the function. Whi le reading this section, note the distinction between the conceptual proof rules, which are referred to as x_rule , and the implementation of these theories which are denoted by the names of the core functions which implement them (usually of the form app ly _z). Chapter 3. Implementation of the Proof Checker 40 Syntax: (apply_lp n state) Type: discharge Expected Structure: (ai And a2 And • • • And an And (Not c)) Equal False Arguments: n is the index of the target obligation. state is the source state. Functionality: decision procedure for systems of linear inequalities. Table 3.1: Linear Programming Rule 3.4.1 Linear Programming Rule The function app ly_ lp is built on top of the F L function, LP, whose implementation was described in the previous section. LP takes as its argument a s t r i n g representing a linear program as a tableau and returns an F L b o o l , T to indicate a feasible solution and F for an infeasible solution. Such tableau should be of the following form: { m,n; r i b\,Xu,Xi2, • • • , Xim; r2 b2, x2i,x22, • • •, x2m; bn, Xn\ , Xn2, • • • , Xnm, } where m is the number of variables; n is the number of (in)equalities; r{ is the relation of the ith inequalities; bi is the constant value on the i th row; and x^ is the coefficient of the j th variable in the i th row. The function prnTableau takes a clause of the form ((ai And a2 And • • • And an And (Not c)) Equal False) and transforms its negation to a string representing the corresponding tableau. This tableau has linear inequalities ai, a2, ..., an and ->c (i.e. c wi th relation inverted). The Chapter 3. Implementation of the Proof Checker 4 1 Syntax: (apply_PredicateCalc indexJist predicate-list state) Type: replacement! discharge Expected Structure: none Arguments: indexJist is the list of indices to the old obligation list. predicateJist is the list of replacements. state is the source state. Functionality: decision procedure for boolean manipulations. Table 3.2: Predicate Calculus Rule output from prnTableau is the input to LP. If LP returns F, indicating infeasibility of the system, the obligation is a tautology, and app ly_ lp discharges it. If LP returns T, indicating feasibility of the system, the rule fails. 3.4.2 Predicate Calculus Rule The PC_rule is the only rule whose old obligation list varies in size. It takes an old obligation list of arbitrary size and replaces it with a new obligation list of arbitrary size. The new obligation list can be empty in which case PC_rule acts as a discharge rule. F L represents boolean expressions (of type bool ) using ordered binary decision di-agrams ( O B D D s ) [5] and this allows symbolic manipulation of expressions. The func-tion a p p l y _ P r e d i c a t e C a l c uses this feature to do tautology checking. As shown in section 3.2.2, the function e v a l uses pattern matching to translate expressions of type boolean into F L bools . It treats inequalities and f o r a l l expressions as single B D D nodes. After the list of old obligations and the list of new obligations are each rewritten as conjunctions of boolean values, the function e v a l is used to determine whether the new list implies the old list. If this holds, then the old list is removed from the obliga-tion list and the new list is inserted in place of the old obligation with the lowest index. Chapter 3. Implementation of the Proof Checker 42 Syntax: (apply_skolem n skolemized.expr subexpr i skolem.const state) Type: replacement Expected Structure: any boolean expression with a universally quantified subexpression. Arguments: n is the index of the target obligation. skolemized-expr is the desired replacement. subexpr is the universally quantified subexpression to be skolemized. i is the quantifier to be replaced wi th a skolem constant. skolem.const is the proposed skolem constant. state is the source state. Funct ionality: skolemize universally quantified expressions. Table 3.3: Skolemization Rule Otherwise, the rule fails with an error message. 3.4.3 Skolemization Rule The Skolem_rule retrieves the indexed obligation from the obligation list and skolemizes the specified subexpression of the obligation with the proposed skolem constant. The subexpression can be the entire obligation if the obligation is universally quantified. The function apply_skolem examines the old obligation and the hypotheses in the hypothesis list to check if the proposed skolem constant is a free variable in any of these expressions. If the skolem constant already exists as a free variable, the rule fails. Otherwise, it is a valid skolem constant, and the function r e p l a c e l n t is used to replace all occurrences of the identifier in the given subexpression by this.constant. After the subexpression is skolemized, it is substituted into the old obligation in place of the old subexpression, and the rule checks if it matches the desired replacement given by the Chapter 3. Implementation of the Proof Checker 43 Syntax: (instantiate n k state) Type: discharge Expected Structure: (Vi.P(t)) = » P'U) Arguments: n is the index of the target obligation. k is the value with which the quantifier is to be instantiated. state is the source state. Functionality: instantiate universally quantified expressions. Table 3.4: Instantiation Rule user. If the subexpression to be skolemized occurs more than once in the obligation, the implementation tries each instance individually to determine if the replacement produces the proposed result. If no replacement matches the result, the rule fails. Skolemization can only be applied to one universally quantified expression at each application, because a unique skolem constant is needed for each skolemization. If two identical subexpressions in the same obligation are to be skolemized, the rule must be applied twice. 3.4.4 Instantiation Rule The Instantiate_rule is a discharge rule. It retrieves the indexed obligation from the obligation list and pattern matches its structure. The obligation is expected to be of the following structure: (Vi.p(0) =• P'U), where j is the instance. If it does not match the required form, the rule fails with an error message indicating the expected structure of the obligation. Once the structure is matched, the function instantiate uses replacelnt to replace Chapter 3. Implementation of the Proof Checker 44 Syntax: (induct n k base state) Type: replacement Expected Structure: V i P ( i ) Arguments: n is the index of the target obligation. k is the proposed quantifier for the resulting universally quantified expression. base is the proposed base case. state is the source state. Functionality: provide reasonings with mathematical induction. Table 3.5: Induction Rule all occurrences of i, the identifier, by j, the instance, in P(i). If this result is identical to P'(j), then P'(j ') is a proper instantiation of V i . P ( i ) and the obligation can be discharged as a tautology. Otherwise, the rule fails. 3.4.5 Induction Rule The Induction_rule retrieves the indexed obligation from the obligation list and replaces it wi th three new obligations. As described in Section 2.2.5, this rule writes an obligation of the form V i . P ( i ) into P(base), Vfc.(fc > base) AND (Vi e {base, k - l } . P ( i ) ) => P(k), and vifc.(Jfc < base) AND (Vi G {k + 1, base}.P(i)) => P(k). For the base case, the function replace Int is used to replace the identifier by the base case, base. For the induction steps, the implementation ensures that the identifier k is not a free variable within the predicate, P . Then it uses replacelnt on the predicate and constructs the forms for the two induction steps. Chapter 3. Implementation of the Proof Checker 45 Syntax: (byJiypothesis n i state) Type: replacement Expected Structure: none Arguments: n is the index of the target obligation. i is the index of the hypothesis on the hypothesis list. state is the source state. Functionality: retrieve information from hypotheses of the proof. Table 3.6: Definition Rule 3.4.6 Definition Rule The implementation of Def inition_rule retrieves the indexed obligation, o, from the obligation list, retrieves the indexed hypothesis, h, from the hypothesis list, and replaces the old obligation by h ==> o. 3.4.7 Postponement Rules There are three rules in this set: postpone, by_postponement, and retrieve. The arguments of postpone are the index of the obligation to be postponed and a name wi th which to tag it. Postpone traverses the postponed list scanning for the name. If the name does not exist in the list, the obligation is simply removed from the obligation list and added to the beginning of the postponed list. Otherwise, the rule checks to see if this obligation is logically related to the postponed object with the same name. The object from the postponed list and the obligation are translated into their B D D representations wi th the function, eval. If the obligation implies the object, the obligation is removed from the obligation list and replaces the postponed object in the postponed list. If the implication is true in the other direction, the obligation is removed from the obligation list and the postponed list remains the same. When neither relation Chapter 3. Implementation of the Proof Checker 46 Syntax: (postpone n name state) Type: discharge Expected Structure: none Arguments: n is the index of the target obligation. name is the name wi th which to tag the postponed object. state is the source state. Functionality: postpone verification of an obligation. Syntax: (by_postponement n name state) Type: replacement Expected Structure: none Arguments: n is the index of the target obligation. name is the name of the postponed object to be retrieved. state is the source state. Funct ionality: retrieve information from postponed list. Syntax: (retrieve name state) Type: replacement Expected Structure: none Arguments: name is the name of the target postponed object. state is the source state. Functionality: move a postponed object back to the list of proof obligation to be verified. Table 3.7: Postponement Rules Chapter 3. Implementation of the Proof Checker 47 Syntax: ( a p p l y . e q u a l i t y n result state) Type: replacement Expected Structure: ( x l = x2) => P , where xl and x2 are of the same type, boolean, i n t e g e r , or r e a l . Arguments: n is the index of the target obligation. result is the desired replacement. state is the source state. Functionality: rewrite an obligation given equality of two variables. Table 3.8: Equali ty Rule holds, the rule fails. By_postponement is similar to the Def i n i t i o n _ r u l e . It retrieves the indexed obli-gation, o, from the obligation list, retrieves the postponed object, p, with the matching name from the postponed list, and replaces the old obligation by p = = > o. It matches the name by traversing the postponed list as is done in postpone. Unlike the other replacement rules, r e t r i e v e adds an obligation to the obligation list. The rule looks up the named postponed object by traversing the postponed list, removes it from the postponed list, and inserts it at the beginning of the obligation list. 3.4.8 Equality Rule The EQ_rule retrieves the indexed obligation of the form ( x l = x2) = = > P . It re-places all occurrence of x l by x2 in P using functions r e p l a c e l n t , r e p l a c e R e a l , and r e p l a c e B o o l . The same replacement is done with the proposed new obligation. If the results from the two replacements match structurally, then the rule replaces the old obligation wi th the new obligation. If the two results do not match, the rule fails. Chapter 3. Implementation of the Proof Checker 48 Syntax: ( r e w r i t e _ i f n result state) Type: replacement Expected Structure: x-if True a e l s e b or a;_if False a e l s e 6, where x-if = b_ i f , i _ i f , or r _ i f . Arguments: n is the index of the target obligation. result is the desired replacement. state is the source state. Functionality: simplify conditional expressions. Table 3.9: If Rule 3.4.9 If Rule The function r e w r i t e _ i f uses pattern matching to simplify ( i f . . . t hen . . . e l s e . . . ) constructs once the conditions are evaluated to be True or F a l s e . It traverses the ex-pression tree of the indexed obligation, matches the conditions with True or F a l s e and replaces the obligation with the then or e l s e clauses accordingly. If the proposed re-placement matches this resulting expression, the replacement is made. Otherwise, the rule fails. 3.4.10 Discrete Rule The function a p p l y _ d i s c r e t e uses pattern matching to match the obligation with the expected structures. If the retrieved obligation does not match any of these forms, the rule fails. Otherwise, the obligation is discharged from the obligation list. Chapter 3. Implementation of the Proof Checker 49 Syntax: (apply_discrete n state) Type: discharge Expected Structure: (x > y) Equal (x > (y + 1)) or (x < y) Equal (x < (y — 1)), where x and y are of type integer. Arguments: n is the index of the target obligation. state is the source state. Functionality: provide discreteness property of integers. Table 3.10: Discrete Rule 3.5 User Interface Interface functions can be built on top of the core functions described in the previous section to ease state manipulations. Because the proof state is protected by an abstract data type and the implementation of these user interface functions is outside the data type, the set of user interfaces does not affect the soundness of the resulting proof. This section describes the implementation of some user interface functions. It describes two types of Case Analysis: one over booleans and the other over integers, explains how an instance of a hypothesis can be discharged with one proof step, and how to use abbreviations while printing large expressions. General information for each function is tabulated in the same format as in the previous section. This set of functions can be extended by the users to suit the application. 3.5.1 Case Analysis over booleans Case analysis "over booleans" uses the PC_rule to split obligation, o, into (case Equal True) o Chapter 3. Implementation of the Proof Checker 50 Syntax: (CaseAnalysis n case state) Type: replacement Expected Structure: none Arguments: n is the index of the target obligation. case is the case to apply case analysis on. state is the source state. Funct ionality: boolean case analysis. Table 3.11: Case Analysis over Booleans and (case Equal False) =>• o. Unlike the proof rules in the proof checker, users do not provide the form of the new obligations for this interface function. 3.5.2 Case Analysis over integers Case Analysis "over integers" uses the P C r u l e to break an obligation into multiple obligations with different ranges. The LP_ru le is used to ensure that the subranges cover the integers. Like CaseAnalysis over booleans, this interface function does not require the form of the new obligations from the user. 3.5.3 Discharged by Unchanged Unchanged handles three most common ways an obligation is discharged given informa-tion from the hypothesis list. 1. The target hypothesis and indexed obligation are structurally equivalent. The argument value is not needed for this scenario. In this case, the user provides a Chapter 3. Implementation of the Proof Checker 51 Syntax: (CaseAnalysis2 n expr 1st state) Type: replacement Expected Structure: none Arguments: n is the index of the target obligation. expr is any integer valued expression to apply case analysis on. 1st is the list of integers (in increasing order) making up the subranges for the cases. state is the source state. Functionality: integer case analysis. Table 3.12: Case Analysis over Integers dummy variable as value which wi l l be ignored by the function. 2. The obligation is a strict instantiation of the hypothesis, i.e. it structurally matches the hypothesis once al l occurrences of the hypothesis's quantifier are replaced by the proposed instance, expr. 3. The obligation is an instantiation of the hypothesis, but the quantifier of the hy-pothesis does not match structurally with the instance, expr. The first case is discharged by simple PC_rule , together with the Def i n i t i o n _ r u l e which extracts the indexed hypothesis. The next case is discharged by calling the Def i n i t i o n _ r u l e to extract the related information, calling the PC_rule to rewrite the obligation into the form which can be handled by the I n s t a n t i a t e _ r u l e , then calling the I n s t a n t i a t e _ r u l e to verify the instantiation. The last case is very similar to the second case, but it can handle cases where the bounds on the quantifier are not structurally identical to those of the hypothesis. The Chapter 3. Implementation of the Proof Checker 52 Syntax: (Unchanged n hyp value state) Type: discharge Expected Structure: none Arguments: n is the index of the target obligation. hyp is the index of the hypothesis which is used to discharge obligation n. value is the proposed value with which to instantiate the target hypothesis. state is the source state. Functionality: discharge instances of hypotheses as obligations. Table 3.13: Discharged by Unchanged LP_rule is used to validate the obligation's quantifier. The interface function determines which case to apply by examining the structure of the obligation. 3.5.4 Printing a State The function print-State prints al l fields in the given state. It uses functions getclaim, gethypothesislst, getpostponelst, and getobligationlst to retrieve different fields from the proof state. Then i t maps the printing functions to each of these lists. This function is useful in proof construction and debugging. 3.5.5 Print Abbreviation The print abbreviation functions allow large expressions to be printed in a more com-pact and comprehensible form. The functions abbrevBool, abbrevlnt, and abbrevReal introduce abbreviation-expression pair and append it to an abbreviation list. The abbre-viation list is stored as an F L variable by the user. The function print_abbrev takes the Chapter 3. Implementation of the Proof Checker 53 abbreviation list and the state, retrieves fields from the state and substitutes expressions wi th abbreviations, then prints the resulting string. 3.6 Conclusion This chapter has presented the implementation of the proof checker: the decision proce-dure for linear programming incorporated into the Voss System and the ten proof rules on top. The user interface functions are examples of how the system can be extended to ease proof development. Users can bui ld similar functions according to their needs without compromising the soundness of the proof checker. Chapter 4 Verification of Real-time Properties The proof checker was implemented to verify t iming issues of real-time systems. A s a ba-sis for formal verification, real-time systems are modeled in the Synchronized Transitions language. Real-time properties are stated as safety properties which can be captured by invariants of the programs. These invariants are manually translated into logic predi-cates as inputs to the proof checker. This chapter describes this approach to real-time verification and compares it wi th other existing approaches. M u c h of the material in this chapter is drawn from [15, 16]. Throughout this chapter, a simple, synchronous communication circuit is used as an example to illustrate how t iming properties of circuits can be represented as real-time properties of programs, and how these real-time properties can be verified. Consider a transmitter-receiver pair operating at the same frequency as given by a global clock as shown in Figure 4.4. The transmitter outputs a sequence of values at a fixed period set by a global clock. Consecutive values are assumed to be distinct (for example, by using a self-timed encoding [31]); which is modeled by an alternation between the boolean values true and false. The receiver inputs one value for each period of the global clock. The transmitter and receiver operate at the same rate, but the relative t iming of the two is not specified. To verify that this interface operates correctly, it must be shown that no values are dropped or duplicated. This is expressed by the two requirements below: Requirement 1: When the transmitter is enabled to output a value, the receiver must have already acquired the current value. 54 Chapter 4. Verification of Real-time Properties 55 Transmitter Receiver I Global Frequency Reference Figure 4.4: A synchronous communication circuit. Requirement 2: When the receiver is enabled to input a value, the transmitter must have already sent a new value. These requirements are real-time properties of the synchronous communication circuit. To verify that an implementation of the circuit satisfies these requirements, the circuit can be modeled as a concurrent program, and the requirements can be formalized as safety properties of the program. This chapter shows how the essence of this protocol is captured in Synchronized Transitions and how the proof checker is used to show that no value is dropped or duplicated during the process. 4.1 Synchronized Transitions: a hardware description language Synchronized Transitions (ST) is a hardware description language in which digital cir-cuits are modeled as concurrent programs. Programs written in S T describe both the computation and the structure of digital circuits. It can be used to specify designs from very high level of abstraction down to gate level descriptions. S T is based on a few, simple concepts of concurrent programming such as guarded multiassignments called transitions and asynchronous composition of these transitions. For the purpose of the proof checker, only a subset of the language is used and described in this section. See [21, 28] for a more detailed description of ST . Chapter 4. Verification of Real-time Properties 56 S T programs are composed of transitions, guarded multi-assignments that can be composed asynchronously. Syntactically, transitions are written in the form: <K precondition —• action » The precondition is a boolean valued expression and the action is a multiassignment. To avoid conflicting assignments, the variables appearing on the left side of the multiassign-ment must be distinct. For example, « a = b — > x , y : = x+1, a » is a transition that when enabled can increment x and set y to the value of a. It is enabled whenever a = b holds. Two or more transitions may be combined wi th the asynchronous operator, ||. Such transitions are performed atomically (i.e. one at a time) and independently. There is no global thread of control - the order in which transitions are executed is independent of where they appear in the program. A s an example, the following program sorts a, b, and c into descending order. « a < b —> a, b := b, a » || « b < c —• b, c := c, b » Each of the two transitions can be executed independently whenever its precondition holds and the transition is enabled. 4.2 Safety Properties and Invariants A n ST program denotes a state transition relation that is the basis for verifying properties of programs. Given a program, P, Vp denotes the state variables of P, and Tp denotes the transitions of P. A state of P is an assignment of values to the elements of VP. Let Sp denote the set of all such assignments. Thus, a state variable is a function from SP to values of the underlying type of the variable. If a; is a state variable and s is a state, Chapter 4. Verification of Real-time Properties 57 let x(s) (also written as x.s) denote the value of x in state s. If E is an expression of state variables, then E(s) (or E.s) has the obvious meaning. A transition is composed of a precondition and a multiassignment. Let t = «.g—>l := r » be a transition. The precondition, g is a function from states (i.e. Sp) to booleans: g(s) is true if and only if t is enabled in state s. The multiassignment, I := r is a function from Sp to Sp. Let m denote this function. s 2 = m(si) if and only if state s 2 is obtained by performing the multiassignment I := r in state s i . Let Rp C Sp x Sp denote the state transition relation of P. Given two states, Si and s 2 , a program can make a transition from s i to s 2 if and only if there is a transition that is enabled in state s\ such that performing that transition leads to state s 2 . More formally, ( s i , s 2) eRP = 3 « p - > m » G Tp.g(sx) A (s 2 = m(si ) ) A system satisfies a safety property Q, if Q holds in the ini t ia l state, and in al l states reachable from the ini t ia l state. A state, s is reachable from s 0 if and only if there exists a sequence of transitions which leads to state s when started at state s 0 . A standard approach to verifying such a safety property is to find an invariant, I, such that Q0 => I and I Q, where Q0 is the ini t ial state predicate (a condition which holds in the ini t ial state). A predicate I is an invariant of the program P (written as inv(I, P)), if / holding in one state guarantees that I w i l l hold in al l successive states. Two properties are used in proving a predicate to be an invariant: P r o p e r t y 1 Let (7\, V) and (T 2 , V) be programs where T\ andT2 are sets of transitions and V is a set of variables. A predicate I is an invariant of ( T i | | T 2 , V) if and only if I is an invariant of both (7\, V ) and (T 2 , V ) . Given a program P and a predicate / on states of P , property 1 shows that each transition of P can be considered separately in showing that / is an invariant of P . The next property shows how to establish that I is an invariant of a single transition. Chapter 4. Verification of Real-time Properties 58 Property 2 Let P = ( « C —> I := r>>>, V). Let I be a predicate. I is an invariant of P if and only if: Vsi, s 2 G Sp. /(si) A C(si) A (7(s2) = r ( S l ) ) A (Vv G V - L : v(s 2) = v(si)) =» /(*2) where L is the set of variables appearing in I. Given these two properties, to determine whether the predicate I is an invariant of the program P = (ti\\t2\\ • • • IKn,^ ), where U = « C ; —> U := r \ » , verification of the following clause is required: V s 1 , s 2 e SP( ( J ( S l ) A d(Sl) A (k(s2) = n ( s i ) ) A ( > G V - : v(s2) = v(Sl))) => 7(s 2) A (/(si) A C 2( S l) A (/2(s2) = r 2f>i)) A (Vu G V - L 2 : v(s2) = v(Sl))) 7(s 2) A A (/(si) A Cn{Sl) A (Z n(s 2) = r n ( S l ) ) A (Vv G V - L n : v(s 2) = v(s,))) J(s 2) ) To simplify the expression, state s2 is written as M(si), where M, the multiassignment (I := r ) , is a function over states of P. The conditions (l(s2) — r(si)) and (Vi; G V — L : v(s2) = v(si)) are dropped, since it is implied by the definition of M. The simplified condition V s i , s 2 e S j > ( (/(sOAdCsOJ^ /CMxCsO) A ( % ) A C 2 ( S l ) ) ^ J ( M 2 y A A (I{si)ACn(Sl))=>I(Mn(Sl)) ) is the input to the proof checker for verifying inv(I,P). A s the input to the proof checker, / ( M j ( s i ) ) is expanded into I(si) wi th all occurrences of U replaced by r,, where Ml = (k := n). Chapter 4. Verification of Real-time Properties 59 When the focus is on proving that a transition preserves an invariant, we sometimes use the notion of a pre state (the state before a transition occurs) and a post state (the state after a transition has occurred). We write x.pre, equivalent to x(pre), to denote the value of x before an execution of a transition and x.post, equivalent to x(post), to denote the value of x after the transition is executed. 4.3 E x p r e s s i n g R e a l - t i m e P r o p e r t i e s Returning to the synchronous circuit example, the physical circuit can be described by two simple S T transitions. « T.v := NOT T.v » || « R.v := T.v » T.v represents the logical value of the signal output by the transmitter, and R.v represents the logical value of the signal input by the receiver. There is no precondition for either transition; the multiassignments can be performed at any time. The first transition models the transmitter. It states that the value output by the transmitter alternates between empty and non-empty values (T.v := NOT T.v). The second transition, which models the receiver, is similar to the transmitter transition. The transition models the receiver retrieving the signal from the transmitter (R.v := T.v). In the interleaved model of concurrency provided by ST, the physical structure of the synchronous circuit can be expressed in a clean and simple manner. However, this simple untimed program does not satisfy the two requirements stated above. In this model, statements in a program are executed atomically, but the order of execution is unspecified. Consider the case where the first transition is executed twice consecutively. This scenario, corresponding to the case where two signals are output by the transmitter without the first being retrieved by the receiver, violates requirement 1 stated in the introduction of this chapter. Conversely, the case where the second transition is executed Chapter 4. Verification of Real-time Properties 60 twice consecutively violates requirement 2. T iming properties of the system must be captured in the model in order to verify that the system satisfies the stated requirements. To reason about t iming properties, additional constraints must be included in the model of the system. Using the notation and properties of Synchronized Transition programs, these constraints can be expressed by adding auxiliary variables to the program These variables are called auxiliary variables, because they are introduced for t iming verification and do not correspond to signals of the physical circuit. A real valued variable, T is introduced to represent the current time, and other variables are introduced for time related bookkeeping. In general, there are two kinds of t iming properties: Timing lower bounds: a transition is not performed unti l after a specified time. Timing upper bounds: a transition is guaranteed to be performed by a specified time. T iming lower bounds can be expressed by strengthening the transition's preconditions. In particular, systems of inequalities describing t iming relationships can be introduced as preconditions to transitions. Likewise, the invariant to be proven includes systems of linear inequalities in addition to boolean relationships. This motivates adding a decision procedure for systems of linear inequalities to the proof checker. Given this decision procedure, the proof checker can be used to reason about t iming issues in real-time systems. In the synchronous circuit program, auxiliary variables are introduced for time related bookkeeping and preconditions are added to the two transitions. « T > T . T + IT T.v, T.r := NOT T.V,T » || « T > R . T + -K - * R.v, R.T := T.v, T » The variables r , T.r and R . T are introduced to the program. The real valued variable, r , is introduced to represent the current time, while T.r and R . T are introduced to denote the time at. which the transmitter outputs a signal and the time at which the receiver Chapter 4. Verification of Real-time Properties 61 inputs a signal respectively. The precondition of the first transition r > T.r+TT enforces a delay of at least TT time units between the output of successive values by the transmitter. Likewise, the precondition of the second transition r > R.T + TT enforces a delay of at least TT time units between the retrieval of successive values by the receiver. T iming upper bounds can be expressed as safety properties of the program's environ-ment. Assertions are added to the program to state that the current time cannot exceed a certain value unti l after some enabled transition is performed. These assertions are written as a protocol describing the environment [29]. In addition to deriving separate lemmas for each transition of the program, a separate lemma shows that this protocol maintains the invariant. The protocol for the synchronous circuit environment can be described by four clauses: • Pi = r.post < T.T + TT is the t iming upper bound for the transmitter. It ensures that signals are generated at most 7T time units apart. • Pi = r.post < R.T + TT is the t iming upper bound for the receiver. • P 3 = unchangediT) A unchanged(R) is the abbreviation for (T.post = T.pre) A (R.post = R.pre) which means that if the environment takes an action, T . r , R.T, T.V, and R.v remain unchanged. • P 4 = r.post > r.pre states the current time after an action by the environment, r.post must be greater than or equal to the time before the action, r.pre. In other words, time increases monotonically. Chapter 4. Verification of Real-time Properties 62 The two requirements stated in the introduction can be formalized as safety property of the program. Q = (T > T.T + Tt) => (R.v = T.v) A (T > R.r + TT) => (R.v y£ T.v) The first clause of the safety property states that the transmitter can not output a new value unti l the receiver has picked up the old one. This clause is equivalent to requirement 1. The second clause states that when the receiver picks up a value, it is a new one. This clause corresponds to requirement 2. Given the S T program and the protocol, the following invariant is constructed for the synchronous circuit. I = T < T.T + TT A T < R . T + TT A (T.T < T ) A (R.T < r ) A (R.T > T.T) => (R.v = T.v) A (R.T < T.T) => (R.v # T.v) A (R.T ^ T.T) A (\R.T - T . r | < TT) The first two clauses are P i and P 2 from the protocol as described above. (T.T < r ) A (PL .T < r ) states that the circuit must appear to be causal as indicated by the auxiliary variables, (R.T > T.T) (R.v = T.v) ensures that the transmitter does not output a new value unt i l the receiver has obtained the old one. Similarly, (R.T < T.T) (R.v ^ T.v) states that when the receiver picks up a value, it is a new value. These two clauses imply the safety property that no value is duplicated during the process. The last clause states that the transmitter and receiver events must occur at different times. In hardware terminology, coincident transmitter and receiver events would constitute a t iming hazard, and in practice some minimum separation must be guaranteed. These issues are explored further in the next chapter. A n ini t ia l state, Qo, can be selected to be Chapter 4. Verification of Real-time Properties 63 R.T = T A T . T - T - IT 12 A R.v - T.v Given such Q0, it is easy to see that (Q0 I) A (I => Q) holds. 4.4 S u m m a r y To summarize the approach described above, a real-time system is modeled as a concur-rent program in ST and its environment is described using a protocol. Then, invariants are formulated for the system and translated into proof goals for the checker. Through human interaction to the proof checker using the inference rules, the proof goal is sim-plified to a conjunction of tautologies. The approach of capturing real-time properties by introducing auxiliary variables is employed in [1], and the approach of describing the environment of the program using protocols is described in [29]. Chapter 5 Verifying S T A R I S T A R I (Self-Timed A t Receiver's Input) is a signaling technique that combines syn-chronous and asynchronous design methods to achieve a higher bandwidth communica-tion than either alone. S T A R I uses a synchronous transmitter, a synchronous receiver, and a self-timed F I F O . This chapter demonstrates an application of the proof checker by applying it to verify the t iming properties of S T A R I . Section 5.1 provides an overview of the S T A R I interface and addresses some of the t iming criteria for the system. Sec-tion 5.2 models the system as an S T program and formulates an invariant for the program which implies the safety properties of the system. Section 5.3 summarizes results from the proof. Experience from using the proof checker is discussed in section 5.4, and section 5.5 evaluates the effectiveness of the proof checker on the S T A R I proof. 5.1 S T A R I Interfaces The implementation of the synchronous transmitter-receiver pair described in Chapter 4 is only a model to demonstrate an approach to verifying safety properties in real-time systems; it can fail if the value output by the transmitter changes at almost the same time as the value is input by the receiver. This is because wi th real hardware, operations take some amount of time and are not instantaneous as would be suggested by the atomic semantics of Synchronized Transitions. In a tradit ional synchronous system, a global clock is used to ensure that the changing and sampling of data are separated in time. This separation must be larger than the uncertainty in the t iming of the clock signal. This 64 Chapter 5. Verifying STARI 65 Transmitter Receiver arbitrary delay self-timed FIFO local sync. 1 circuitry I arbitrary delay arbitrary delay Global Clock Figure 5.5: S T A R I communication uncertainty is called skew. Skew often limits the performance of synchronous systems. To show that an interface operates correctly, it must be shown that new data arrives at the synchronous section of the receiver at a time that is well defined relative to the receiver's clock. S T A R I is motivated by the observation that it is a relatively simple matter to dis-tribute a frequency reference signal throughout a large system. O n the other hand, it is difficult to control the exact phase of high frequency signals. A s mentioned above, this skew limits the performance of purely synchronous systems. Self-timed designs avoid clock skew by using handshake protocols. If no assumptions are made about the delays of components and wires, then each transmitted bit must be acknowledged before the next one is sent. In self-timed circuits, these handshakes determine the rate of data transmission, and the round-trip delay incurred on each transmission-acknowledge cy-cle can l imit performance. In a S T A R I interface, a global clock determines the rate of data transmission and the receiver's self-timed F I F O can compensate for skews exceeding several clock periods. In this way, S T A R I overcomes both the clock-skew limitations of purely synchronous designs and the round-trip delays of purely self-timed interfaces. Figure 5.5 shows a S T A R I interface. The key component is a self-timed F I F O that receives data from a synchronous transmitter and delivers data to a synchronous receiver. Chapter 5. Verifying STARI 66 During each cycle (period of the global frequency reference), the transmitter sends one datum that is inserted into the F I F O upon arrival. Successive values are distinguished by using a self-timed data encoding [31]. Likewise, the receiver removes one item from the F I F O each cycle. Once properly initialized, the F I F O never overflows or underflows. For correct operation, the F I F O must complete each insert and remove operation within one cycle. When this requirement is met, the F I F O appears as a synchronous component to both the transmitter and the receiver. Furthermore, both the transmitter and the receiver appear to the F I F O as well-behaved self-timed systems. The transmitter produces a new data value each clock cycle, just as if the F I F O were another compo-nent synchronous to its own clock. A s wi l l be shown, the F I F O performs each insert operation within one cycle, which means the F I F O acknowledges the previous data value before the next value arrives. Thus, the synchronous transmitter satisfies the self-timed signaling conventions of the self-timed F I F O . Likewise, a prompt response of the F I F O to acknowledgements from the receiver guarantees that the receiver does not issue an acknowledgement unti l the corresponding data value is present. Therefore, the interface between the F I F O and the receiver is correctly timed. 5.1.1 Self-timed FIFOs for STARI To verify S T A R I , a particular F I F O implementation must be chosen. Consider an im-plementation that uses a ripple F I F O where successive data values in the F I F O are distinguished according to some self-timed encoding. For verification purposes, the anal-ysis of the interface does not depend on the specific data encoding. The transmitter output can be modeled as alternating between two values: "full" (represented by true), and "empty" (represented by false). A self-timed F I F O can be implemented using a linear array of stages wi th outputs y ( l ) . . . y (n) which operate according to the following rule: stage j may copy its input, Chapter 5. Verifying STARI 67 FIFO stage stage stage stage stage stage y " » r ^ - i y l l ) r - ^ - i Y ( 2 ) y(3-2) y ( i - l ) 1 y(j) y ( j i - l ) y (n- l l r _2_ 1 y(n) a c k _ i n C-element y ( j - D x( j ) •y(j) '-0<] y (J+D Stage j F F F T T F T T u n c h a n g e d u n c h a n g e d T Operation of a Muller C-element « yCj-D = x(j) -»• y(j).v := y(j- l ) .v » || « x(j) := -. y(j+l) » S T code for stage j (without auxiliary variables for t iming). Figure 5.6: A self-timed F I F O Chapter 5. Verifying STARI 68 y ( j - l ) , to its output, y ( j ) , when its successor stage has acquired its current value (i.e. y ( j ) = y ( j+ l ) ) . Thus, when a stage and its successor are both empty, the stage can acquire a full value from its predecessor. Conversely, when a stage and its predecessor are both full, the stage can acquire an empty value from its predecessor. This protocol has a simple implementation consisting of a Mul ler C-element and an inverter as shown in Figure 5.6. This design is delay insensitive [30] and w i l l function correctly regardless of the delays in the C-elements, inverters, and wires as long as the transmitter and the receiver observe the self-timed protocol. In a self-timed design, these conditions for the transmitter and receiver are enforced by handshakes using the data and acknowledge signals. In a S T A R I interface, the time between when a stage is enabled to perform an action and when that action is taken must be bounded. For the schedules described below, the transmitter and receiver can be guaranteed to operate according to the self-timed protocol when each per-forms one operation during each cycle of the global clock. Because the transmitter does not require acknowledgements from the F I F O to send successive values, the performance of S T A R I is not l imited by round-trip delays. 5.1.2 A schedule for STARI To verify S T A R I , it is necessary to show that after each data value arrives from the transmitter, an ack .out event is generated by the F I F O before the next value from the transmitter arrives. Similarly, after each ack_in event from the receiver, the F I F O is required to output a new data value before the next ack_ in event occurs. To perform a new operation, each F I F O stage must wait for data from its predecessor (or the transmit-ter) and an acknowledgement from its successor (or the receiver). These dependencies are transitive; therefore, the t iming of each stage depends on the times of the opera-tions of al l stages and the transmitter and receiver. Accordingly, a global schedule for Chapter 5. Verifying STARI 69 F I F O operations is required to establish the correct operation of S T A R I . The schedules presented in this section are from [15]. These schedules are presented in an informal, intuitive fashion. In section 5.2, the version wi th bounded delays is formalized using the S T notation, and the verification of this version using the proof checker is described in sections 5.3 and 5.4. The schedule of S T A R I depends on the model of the t iming for the operation of the transmitter, receiver, and F I F O . The model used here assumes that the clock skew between the transmitter and receiver has some arbitrary, constant value. O n the other hand, stage delays are only bounded from above. The actual delay of a stage can be anywhere from zero to this bound, and the stage can exhibit different delays for different operations. This model uses the quantities defined below: n: The number of stages in the F I F O . Assume n > 0. 6: The stage delay. The delay from when a stage has received both a new data value at its input and an acknowledgement for its current output unti l the stage outputs the new value is at most 8. In this model, 8 is an upper bound, and the actual delay may differ for different stages or for successive operations of the same stage. TT: The period of the global clock. New data values arrive at da ta_ in separated by exactly TT time units, and successive acknowledgements arrive at ack_ in separated by exactly TT time units. A: The time from a transmitter event unti l the corresponding receiver event. In a correctly operating interface, the transmitter wi l l output a value on d a t a - i n at some time, rt, and the receiver wi l l assert an ack_ in for this value at some later time r r . In this case, A = r r — rt. Since successive transmitter events and successive receiver events occur with the same period, A is a constant. For (n+l)<5 < A < ( n + l)(7r — 8) Chapter 5. Verifying STARI 70 - - it wi l l be shown that the S T A R I interface operates correctly, in which case A can be understood as the F I F O latency. To motivate the schedule for F I F O operations, a simplistic scenario with fixed delays is considered first. W i t h completely deterministic t iming, the analysis for this case is straightforward, and many of the ideas from this simplified version can be applied directly to the bounded delay model and appear in the proof. In the fixed delay case, each stage performs an operation once every TT time units, and the details of the schedule are determined by the relative phases of these operations. A convenient way to describe these relative phases is to derive the delays between when a stage receives a new value at its data input and when it propagates this value to its output. The delay for stage j is written as A(j). The sum of these delays is the latency of the F I F O : X X j ) = A (5.1) j=i Note that A ( n + 1) corresponds to the delay from when a value is output by the F I F O unti l the subsequent acknowledgement is output by the receiver. In steady state operation, the stages of the F I F O can be partitioned according to the order in which their data and acknowledge inputs arrive. The stages closest to the transmitter receive new data values after they have received an acknowledgement for the previous value from their successors. When a data value arrives at the input of such a stage, it is copied to the output 6 time units later. For the stages closest to the receiver, data values arrive before acknowledgments. If a stage and its predecessor both wait for acknowledgements, then TT — 8 time unit elapses between the arrival and departure of a data value at the stage (see [16]). The remaining stage waits for acknowledgement but its predecessor waits for data. The time for this stage to forward a data value is bounded by the times for the other two cases. Chapter 5. Verifying STARI 71 Figure 5.7: Stage-to-stage transfer times Let stage k be the first stage that waits for acknowledgements. To satisfy equation 5.1 and the relationships 6 < A ( j ) < TT — 8, a simple pigeon-hole argument yields: A ( j ) = where k = n + 1 -8 , if j < k ex , if j = k TT — 6 , if k < j A - (n + 1)6 TT - 28 a = A + (k - 1) * (TT - 28) - n(?r - 8) To ensure that k is between 1 and n, it is required that (5.2) (5.3) 0 < 8 / F I F O stages are causal 28 < TT , minimum "clock" period (n + 1)8 < A < (n + l)(7r — 8) , bounds on skew Figure 5.7 shows A ( j ) for a typical S T A R I interface with fixed delays. Now consider a F I F O with bounded delays. The delay between when a stage receives a new data value and when it outputs the value may be lower than in the fixed delay case. As the total latency of the F I F O remains fixed, there must also be stages which have delays greater than those in the fixed delay case. This happens when a stage receives Chapter 5. Verifying STARI 72 a new data value earlier than it would have in the fixed delay version and must wait longer for an acknowledgement. It can be shown that in the bounded delay model no stage performs an operation later than the corresponding action is performed in the fixed delay version. This observation leads to the schedule for the bounded delay model. The schedule for S T A R I with bounded delays is a schedule for the total delay from the time that a data token arrives at the input of the F I F O unti l it is output by stage j as given by defined below: = £>(i) (5.4) j=i Because \I> is derived from A , this schedule identifies a "waiting for data" region (j < k with k defined by equation 5.3) and a "waiting for acknowledgement" region (j > k). In operation, a stage in the "waiting for data" region may end up waiting for an acknowledgement because of a data value arriving early; however, it wi l l not wait longer than the time allowed by the "waiting for data" schedule above. Likewise, a stage in the "waiting for acknowledge" region may wait for a data token, but not so long as to violate the schedule. 5.2 A n ST Program for STARI To verify the t iming properties of S T A R I , the interface is modeled as an S T program. In this program, r represents the current time and y(0) through y (n+ l ) represent signal values. For 1 < i < n, y ( i ) is the output of the i t h F I F O stage. The output of the transmitter is the signal y ( 0 ) , and y(n+l ) is the "acknowledge" signal from the receiver. Three attributes are associated wi th each signal: y ( i ) .v The value of the logical datum output by F I F O stage i , true (full) or false (empty). Chapter 5. Verifying STARI 73 y ( i ) . r The time at which y ( i ) .v was assigned its current value. y ( i ) . L The time at which the value currently held by y ( i ) . v was output by the trans-mitter. Given this framework, the descriptions of the transmitter and receiver are straight-forward. The transmitter changes the value of y ( 0).v once every TT time units. The transition « r > y ( 0 ) . r + 7r —>• y ( 0).v, y ( 0 ) . r , y ( 0 ) . t := NOT y ( 0).v, T, T » states that changes of the transmitter's output, y ( 0 ) , occur at least TT time units apart. Likewise, the protocol, r.post < y ( 0 ) . r + 7r ensures that changes of y (0) are at most TT time units apart. Thus y (0 ) changes once every TT time units as required. The description of the receiver is equivalent (see F ig -ure 5.8). To describe the F I F O , note that stage j can change its output when stage j -1 has provided a new input value and stage j+1 has acknowledged the current output. Thus, the transition for stage j of the F I F O is « ( y ( j - l ) . v ^ y ( j ) . v ) AND ( y ( j ) . v = y ( j + l ) . v ) - > y ( j ) - v , y ( j ) - T , y ( j ) . i := y ( j - l ) . v , r , y ( j - l ) . t » The entire F I F O is described by the asynchronous composition |j « ( y ( j - l ) . v y ( j ) ) AND ( y ( j ) . v = y ( j + l ) . v ) - » y ( j ) - v , y ( j ) - r > y C j ) - * : = y C j - D - v , r , y ( j - i ) . t » No t iming constraints are included in the guard because the F I F O stages only have an upper bound on their delays. A stage is allowed to perform its operation immediately after receiving new data and acknowledge inputs. Chapter 5. Verifying STARI 74 The following protocol asserts that-the transition for F I F O stages can be enabled for at most 6 t ime units before being executed: V j G { l . . . n } . ( ( y ( j - l ) . v / y ( j ) . v ) A ( y ( j ) . v = y( j + l ) . v ) ) =>- (r.post < m a x ( y ( j - l ) . r , y ( j + l ) . r ) + 6) The complete program for S T A R I is given in figure 5.8. 5.2.1 T h e i n v a r i a n t To verify S T A R I , it is necessary to show that the self-timed protocol of the F I F O is satisfied by the real-time behavior of the transmitter, F I F O , and receiver. The first criterion is that each value output by the transmitter is inserted into the F I F O before the transmitter outputs another value. Formally, let Ri = (r > y ( 0 ) . r + 7r) (y(0) . v = y ( l ) . v) Ri is a safety property of the program. The second criterion is that the corresponding condition for the receiver, #2 = (T > y(n+l) . r + 7r) (y(n) .v ^ y(n+l) .v) R2 is also a safety property. , To verify properties Ri and R2, an invariant of the program is established, / such that I (Ri A R2). The key clause of this invariant is a schedule for the internal operations of the F I F O . In particular, the invariant includes the conjunct V i e { l . . . n } . y ( i ) . r < y ( i ) . t + tf(i) . Intuitively, ^ ( i ) is the maximum time allowed for a value to propagate from the trans-mitter to the output of stage i . The key property of the schedule that wi l l be used in Chapter 5. Verifying STARI 75 Constraints on program parameters: 0 < n , there is a F I F O 0 < 8_ , F I F O stages are causal 2(5 < 7i , minimum "clock" period (n + 1)5 < A < (n + l)(?r — 8) , bounds on skew Transitions for the transmitter, F I F O , and receiver: « T > y (0 ) .T + 7T -> y ( 0 ) . v , y ( 0 ) . T , y ( 0 ) . i := NOT y ( 0 ) . v , r , r » || | « ( y ( j - l ) . v ^ y ( j ) - v ) A ( y ( j ) . v = y ( j + l ) . v ) J ~ 1 y ( j ) - v > y C j ) - 1 " . y ( j ) - 1 : = y ( j - D - v , r , y C j - D . t » I « T > y (n+l ) . r + TT —>• y ( n + l ) . v , y ( n + l ) . r , y ( n + l ) . t := NOT y ( n + l ) . v , r , y ( n ) a » Protocol for the environment (i.e. assumptions about time): unchanged^) r.post > r.pre r.post < y ( 0 ) . T + 7T V i £ { l . . . n } . ( y ( i - l ) . v ^ y ( i ) . v ) A ( y ( i ) . v = y ( i + l ) . v ) =>- r.post < max (y ( i — l ) . r , y ( i + l ) . r ) + 8 r.post < y ( n + l ) . T + 7r Figure 5.8: A Synchronized Transitions program for S T A R I Chapter 5. Verifying STARI 76 k n + 1 - A - (n + 1)8 TT-26 A ( i ) 8 ' , if i < k A + (k - 1) * (TT - 28) - n(7r - 6) , if i = k 7T — 8 , if i > k * ( i ) = E } = i A ( j ) 7sched = V i € { 1 . . . n} . y ( i ) . r < y ( i ) . t + * ( i ) •^ causal = V i e { 0 . . . n + 1} . y ( i ) . r < r h = (y(0) .T = y (0) .t) A (y(n+l) . r = y ( n + l ) . t + ^ ( n + l ) ) It = T < y (0) . T + 7T If = V i € { l . . . n } . ( y ( i - l ) .v # y ( i ) .v) A ( y ( i ) .v = y ( i + l ) . v) =>• (r < m a x ( y ( i - l ) . r , y ( i + l ) . r ) + 8) Ir = r < y (n+l ) .T + 7T insert = V i £ {0 . . . Il} . ( y ( i ) .v = y ( i + l ) .v) => ( y ( i ) .1 = y ( i + l ) .t) A ( y ( i ) .v ^ y ( i + l ) .v) ( y ( i ) . t = y ( i + l ) .4 + 7r) I — s^ched A I\ A /causal A J ( A / / A 7 r A /insert Note that \P(i) - * ( i - 1) is denoted A ( i ) The complete invariant is shown in figure 5.9. Each of the clauses has a simple, intuitive interpretation. A s is often the case wi th invariant based verification, several "bookkeeping" clauses are needed to describe the set of states that the system can reach. A s described in the previous paragraph, the clause 7sched gives a schedule for the internal Figure 5.9: The invariant for S T A R I the remainder of this chapter is V i G { 1 . . . n + 1} . 8 < tf(i) - * ( i - 1) < TT - 8. Chapter 5. Verifying STARI 77 operations of the F I F O . The clause 7Causai states that the F I F O is causal as described by the auxiliary variables: no signal may have an assignment time that is in the future. The clause I\ asserts that the schedule is tight at the transmitter and receiver, which implies that the F I F O latency is A, matching A's intuitive interpretation. The clauses It, If, and IT state that the transmitter, F I F O , and receiver respectively have completed all operations that should have happened in the past. The clause 7 i n s e r t can be understood by assuming that no data values are dropped by the F I F O , in which case this clause implies that the values of the .1 variables are the times at which these values were output by the transmitter. The clause / i n s e r t is implied by the other clauses of the invariant and can be proven by induction over the stages of the F I F O . This approach was taken in the manual proof in [16]. However, when verified by the proof checker, many implici t induction arguments were discovered in the hand-written proof, most of them simple lemmas about unchanged variables. B y adding the clause 7i n s ert to the invariant, the arguments by induction over the structure of the F I F O become induction arguments over the sequences of states that the system can traverse. The proof was more easily verified by the latter approach. 5.3 T h e S T A R I P r o o f W i t h the described technique, S T A R I was modeled as a concurrent program, safety properties of the system were identified, and a predicate, I, which implies these safety properties was proven to be the invariant of the program. To stimulate an appreciation of the process, this section discusses one segment of the proof in detail, highlights some techniques used in constructing the proof, and presents some of the flaws uncovered in the manual proof. Chapter 5. Verifying STARI 78 5.3.1 A snapshot from the proof As mentioned in chapter 2, a proof can be viewed as a tree wi th the claim as the root, proof-rules labeling the edges, and simple tautologies at the leaves. The S T A R I proof is mapped into such structure. The root is the claim that I is an invariant of the program shown in figure 5.8. It can be written as ( /( 5 l )AC t ( S l ))^/(M t ( S l )) A (/(5 1 )AC / (s 1 ))^/(M / (s 1 )) A (J(si)AC r ( S l ))^/(M r ( S l )) A ( / ( s O A C ^ s ^ ^ / ^ O n ) ) The PC_rule splits the claim into four separate clauses. Viewed as a tree, there is the claim at the root wi th four edges, labeled P C - r u l e , split t ing it into its four children: ( /( S l )AC t ( 5 l ))^/(M t ( 5 l )) , (I(Sl)ACf(Sl))^I(Mf(Sl)), (I(Sl)ACr(Sl))^I(Mr(Sl)), and (/(si) A Cp(Sl)) =$• I(Mp(Sl)). Chapter 5. Verifying STARI 79 cl(sched) c l (causal) cl(k) I cl(f) cl(t) cl(r) c l (insert) Figure 5.10: A branch from the S T A R I proof tree. Since the invariant is a conjunction of several clauses, each of the above obligations can be further broken down into > / s c h e d ( A f i ( S i ) ) , " / causa l (Mi ( S i ) ) , > h(Mi(Sl)), > It(Mi(Sl)), > If(Mi{Sl)), > Ir(Mi(Sl)), > / i n s e r t ( M i ( S i ) ) . where i € t, f, r,p. See figure 5.10. This section examines the branch of the proof which verifies that the transitions for the F I F O maintain 7sched, (I(si) ^Cf(si)) Isched(Mf(si)), the clause of the invariant that asserts the real-time schedule for S T A R I . This example is chosen as it emphasizes the real-time aspects of the verification. Recall that a proof state consists of the claim, the hypothesis list, the obligation list, AC,| >i) A Ci > i ) A Ci > i ) • ( % ) AC, >0 A Ci >i) A Ci >i) and (I(si) AC, Chapter 5. Verifying STARI 80 and the postponed list. (See section 2.1.1). For simplicity, only the obligations and the hypotheses are shown in this presentation. Starting wi th the obligation given above, -f Sched(-^/(si)) is skolemized with the skolem constant skJ so we can apply case analysis on the term. Using PC_rule to apply case analysis on (skJ=j), we split our obligation into 2 terms. hypotheses : [Cf, I, constraint] The second obligation follows directly from the fact that no variables appearing in the obligation were modified by the transition. In the checker, this takes six steps: two steps (using EQ_rule and IF_ru le ) replace each if expression wi th the corresponding else clause; two steps (using D e f i n i t i o n - r u l e and I n s t a n t i a t e _ r u l e ) instantiate the corresponding clause of the invariant on the hypothesis list wi th j ; and the remaining two steps (using PC_rule) perform rewrites to put the obligations into forms suitable for the other rules. Having discharged the simpler of the two obligations, the state of the obligations : (skJ = j) =>• ( (if (skJ < (if(skJ (skJ ^j)=>( (if (skJ < (if(sk.i j) then r else y(skJ).r) j) then y(sk-i — l ) . i else y(skJ).i) + ^f(skJ)), j) then r else y(skJ).r) j) then y(sk-i — l ) . t else y(skJ).t) + ^f(skJ)) Chapter 5. Verifying STARI 81 proof becomes obligations : (skJ = j)=>( (if(skJ = j) then r else y(skJ).T) < (ii(skJ = j) then y(sk-i — l ) . t else y(skJ).t) + ty(skJ)) hypotheses : [Cf, I, constraint] Using EQ_rule and I F _ r u l e , the obligation is rewritten to r < y(j — l ^ i + ^ f j ) . To obtain an upper bound for r , the clause If of the invariant is used. Since the precondition Cj holds, instantiating 7/ with i = j yields r < max(i/(j — l ) . r , y(j + l ) . r ) + 8. This leads to the essence of the real-time verification of S T A R I . The current time is bounded from above according to the greater of y(j — l ) . r and y(j + l ) . r , that is according to whether the data or acknowledge input of stage j arrived last. In either case, the schedule, holding for stages j — 1 and j + l before performing the transition for stage j, is used to show that it holds for stage j after the transition is performed. Case analysis is performed according to which of y(j — l ) . r and y(j+ l ) . r is greater. The case for y(j — l ) . r > y(j + l ) . r is presented here; the other case is similar. For the case with y(j — l ) . r > y(j + l ) . r , rewriting the max function yields the proof obligation T <y(j-l).r + 8 T <y(j + Using linear programming, it can be shown that: y{j ~ A ( J ) T < < y(J l).T + 6 1) + A ( j ) 1) ( L i ) (L-2) (L3) > T < y{j- l).4 + tf(j) Chapter 5. Verifying STARI 82 In the checker, P C r u l e is used to replace proof obligation O i wi th L\, L2, L 3 , and Lx A L2 A L 3 =>- L 4 . (Note that L0 is the antecedent of o\ and L 4 is the consequent.) This implication is discharged immediately by LP_ru l e , demonstrating the uti l i ty of a decision procedure for linear programming when reasoning about real-time systems. Of the remaining obligations, the first two can be discharged by instantiating the appro-priate hypotheses. The fourth obligation, however, reveals a l imitat ion of this checker. Instantiating the definition of A it is straightforward to verify that A(j) > 8 for the cases j < k and j > k. O n the other hand, the case j = k produces the obligation 8 < A + {k - 1) * (TT - 28) - n(?r - 8) To verify this obligation, it is necessary to instantiate the definition of k, and then reason about the inequalities involving non-linear operations such as floor. Instead, the Postponement-rules are used to transfer this obligation to the suppose list. A t the end of the proof, there are two such obligations on the suppose list, the one just described and the closely related one: A + (k - 1) * (TT - 28) - n(7r - 8) < ix - 8 Both can be verified in a few minutes using pencil, paper, and a litt le bit of high-school algebra. 5.3.2 Some Proof Techniques The L P - r u l e and the PC_rule are the core of the proof checker. The L P _ r u l e is intended to reason about linear inequalities within the proof, and the P C - r u l e is intended to support boolean manipulation. Whi le developing the S T A R I proof script, it was observed that in addition to the originally intended functions, these two proof rules are used extensively to restructure expressions to the forms required by other proof rules. F ixed Chapter 5. Verifying STARI 83 sequences of proof rules are applied to achieve certain subgoals. B y examining the proof scripts, common patterns were recognized and interface functions were built to capture these proof sequences. The following paragraphs present some proof techniques involved in developing the S T A R I proof script, and discuss the interface functions implemented to support such techniques. One frequently used proof technique is case analysis: to divide an obligation into different cases and reason about each case with an appropriate method. See sections 3.5.1 and 3.5.2 for a description of the interface functions C a s e A n a l y s i s l and C a s e A n a l y s i s 2 . Because many of the proof rules are implemented using structural matching of expres-sions; proof states can include cumbersome obligations that require simplification. For example, the I n s t a n t i a t e _ r u l e traverses an expression tree and blindly replaces every occurrence of the quantifier by the specified instant without recognizing what the expres-sion truly represents. The expression V i . / ( i +1) instantiated by j — 1 yields f(j — 1 + 1), and the LP_ru le is required to verify (j — 1 + 1) = j before the replacement can be applied. In such cases, the PC_rule is used to formulate the simplified expression, the LP_ru le to verify such replacement, and the EQ_rule to write the expression into the simpler form. This process could be extremely tedious when large expressions are in-volved. Such tedious steps can be avoided by adding an arithmetic decision procedure to the proof checker. This approach is discussed in section 6.1. A n invariant proof verifies that a predicate continues to hold after a state change in which value to some v € V is modified by a transition (given that V is the set of variables in the S T program). Such a predicate is often a conjunction of clauses, and the predicate is proven to be an invariant by analyzing each clause and the effect of each transition on these clauses. Frequently no variable in a clause is changed after a particular transition is performed, and this case is readily discharged by the PC_rule . Many times, the obligation which needs to be proven is a simple instantiation of a clause from the hypotheses. The Chapter 5. Verifying STARI 84 interface function Unchanged discharges such obligations (see section 3.5). 5.3.3 Flaws from Manual Proof Having attempted to verify a hand-written proof, various technical flaws were uncovered. Most of the errors uncovered were typographical mistakes and inadequate justifications for proof steps, and most of these flaws were found in the process of translating the manual proof steps into inputs to the proof checker. A l l of these errors were in the proof, not in the theorem statement. A more serious error was revealed when attempting to verify 6 < X + (k - 1) * (TT - 28) - n(7T - 8) < IT - 6 In the original formulation of the claim, there was an "off-by-one" error in the definition of k. Al though this was not detected by the proof checker, the checker brought it to our attention by reducing the correctness of the claim to the correctness of this simple formula, upon the examination of which the error was discovered. 5.4 Observations and Experiences From verifying S T A R I a few observations are noted in relation of the proof checker and the proof itself. Two of the major issues are: the similarity in the overall structure of the verified proof and the manual proof, and how the chosen language, F L , helps the proof development process. 5.4.1 Verified Proof versus Manual Proof The overall structure of the S T A R I proof verified by the proof checker is the same as that of the manual proof. Both version verify the invariant by considering pairs of states, s and s' where s' is produced by performing some transition from state s. The invariant Chapter 5. Verifying STAR! 85 is assumed to hold in state s, and the proofs show that it continues to hold in state s'. In both proofs, the invariant consists of four clauses: three corresponding to the three transitions representing the transmitter, receiver and F I F O ; and one clause corresponding to the protocol of the S T program. The central argument of each proof shows that the F I F O maintains the schedule, and both proofs do this by considering whether the data or the acknowledgement arrives last at each C-element. Because the invariant holds in state s, the schedule holds for this last arriving input. The proofs then show that the invariant holds in state s'. The major difference between the manual proof and the verified proof is the change in representation of the insert time. A s mentioned earlier, the manual proof involves implicit inductions which correspond to many proof steps in their counterparts within the verified proof. In the verified proof, these induction arguments were eliminated by adding the clause /insert to the invariant. Al though this clause is redundant (it is implied by the other clauses), the overall proof is simplified by its inclusion. The number of steps required for the same argument differs in the manual proof and the verified proof. The verified version often involves more steps because of the rigorous nature of a verified proof. However, this is not necessarily the case where reasoning about linear inequalities and boolean manipulation is involved. The two buil t- in decision procedures for systems of linear inequalities and boolean manipulation discharge such proof obligations in a single step, whereas the manual proof requires multiple steps to simplify the expressions to a manageable size before they can be discharged. 5.4.2 F L as a m e t a - l a n g u a g e F L was the natural choice for the meta-language of the proof checker, because it provides buil t- in support for B D D s and supports abstract data types. It is easy to define a next-state function in a functional language. Using F L as the meta-language, it is very natural Chapter 5. Verifying STARI 86 to pass a proof state to a function, have the inference rule create a new state with respect to the context of the proof rule and the input state, then return this new state. The language also allows a proof to be viewed as a program, a more structured entity which helps organize the proof. Related sections of a proof script can be combined to become a function. Branches from a proof tree which employ the same proof technique, can be written as a function wi th input variables to adapt to slight variations in similar cases. When similar proof sequences are required, the function is simply called with appropriate values. Using a functional language to implement the proof checker also has disadvantages. It is harder to bui ld and modify complex data structures, and hence long lists have to be traversed linearly during a lookup for an item. This is a performance problem which can be solved by more sophisticated programming. 5.5 Evaluating the Proof and the Proof Checker The motivation for this research is that hand written proofs often contain implici t as-sumptions and unstated arguments, both of which can lead to errors and unsoundness. Theorem provers can be used to verify such proofs, however, existing theorem provers are often extremely tedious and/or require mathematically sophisticated users. Theorem provers which reduce all claims to a small set of fundamental axioms are often tedious [7]. Those that use sophisticated tactics that may allow for shorter proofs can be baffling to a naive user [10, 22, 26, 27, 3, 4]. The hypothesis of this research is that correctness proofs for real-time systems can be machine checked using a small set of decision procedures, and these procedures can be used at a level of detail comparable to typical hand proofs. A simple proof checker was implemented specifically for the verification of real-time systems. A real-time system Chapter 5. Verifying STARI 87 (STARI) was verified with the small set of inference rules. The structure of the verified proof is at a level of detail comparable to typical hand proofs. From this exercise, the S T A R I proof was made more sound. A s described in sec-tion 5.3, an off-by-one error in the statement, and various technical flaws were uncovered in the process as mentioned in section 5.3. Chapter 6 Conclusion This thesis has presented a technique for verifying t iming properties for real-time sys-tems. The system is modeled as an S T program; real-time requirements are formulated as safety properties; and a simple proof checker with a small set of inference rules is used to verify manually generated proofs of these properties. This chapter compares the results from this thesis with its ini t ia l conjectures, presents some of the unanticipated findings of this investigation, and highlights a few of the most significant findings. 6.1 The Simple Approach to Proof Checking A simple proof checker was implemented. W i t h its ten inference rules and small type system, the checker is powerful enough to verify real-time properties of concurrent designs such as S T A R I . The ini t ia l design of the proof checker had nine proof rules: the rules currently existing in the checker except the I n d u c t i o n _ r u l e . Whi le translating the hand-written S T A R I proof to input to the proof checker, many implici t induction steps were discovered. It appeared that these could be eliminated by modifying the invariant. However, two induc-tion arguments remained for proving two crit ical lemmas. Therefore, the I n d u c t i o n _ r u l e was implemented and incorporated into the system. No further extension to the proof checker was needed to verify the S T A R I proof. The author believes that many proofs of real-time properties are based on similar arguments using predicate calculus, systems of linear inequalities, and simple quantifications over the integers. 88 Chapter 6. Conclusion 89 Identity properties Cancellation law (a + 0 = a) A (a * 1 == a) (a * c = 6 * c) A (c ^ 0) a = b. Figure 6.11: Identity Properties and Cancellation Law of reals Unlike typical theorem provers, the type system in this checker is small. It includes boolean, i n t e g e r , and r e a l types as well as arrays of these three types. This type system is sufficient for the S T A R I proof, since the model for S T A R I does not require sophisticated data structures. In the manual proof of S T A R I , the F I F O is represented as an array of records: the output of a C-element is represented by {y(i).r, y(i).v, y(i).i}. In the proof checker, this is translated into three arrays. To verify systems wi th more elaborate types, the set of data types provided by the checker may be insufficient and require extension. A s mentioned in previous chapters, the LP_ru le was used extensively for algebraic manipulation while verifying the S T A R I proof. Mul t ip le proof steps are required to ar-range an obligation into a structure that can be discharged by the LP_ru le and to rewrite other obligations with the appropriate substitutions. (See section 5.3.2). This approach can become extremely tedious as the expressions grow. One possible enhancement to the proof checker is to implement a decision procedure for polynomial arithmetic. Such a decision procedure, given an expression, would simplify the expression and rewrite it into a canonical form of sums of products. The design of this decision procedure needs to be carefully considered to avoid introducing 'surprises'. (See section 2.1.2). Inference rules which capture the identity properties and the cancellation law of reals could also prove useful to the checker. Figure 6.11 states these two properties of reals. Chapter 6. Conclusion 90 6.2 Proofs as Programs Using the proof checker, i t was observed that a proof can be viewed as a program. For many years, people have written long programs where syntactic and type correctness is verified by a compiler. This allows programmers to concentrate on the algorithms and not tedious typing and syntactic issues. In the case of proofs, the proof checker allows users to concentrate on developing the proofs with the checker flagging unsound arguments. This approach allows users to focus on the high level structure of the proofs. Commonly used proof sequences can often be encapsulated in a function which is called with different arguments to provide similar arguments within a proof. This ap-proach is similar to implementing interface functions to the checker except that it is intended to be more problem specific. It avoids repetition, reduces the amount of code involved, and increases the readability of the proof script. Many existing theorem provers maintain libraries of verified lemmas which can be reused in different proofs. H O L [7] is an example of such a theorem prover. A large amount of extra work is often required to identify a suitable set of hypotheses when creating such a lemma, and when the lemma is applied, more work may be required to show that these hypotheses are satisfied. A s an alternative to instantiating lemmas, the proof checker presented here allows an interface function to be executed every time a similar argument is needed. If the function provides a correct proof, the obligation is discharged. Al though there is some lemma corresponding to the class of predicates discharged by the function, the statement of this lemma is implici t , sparing the user the tedium of deriving and justifying a formal statement of the lemma. Re-executing the interface function increases the execution time for a proof; however, the buil t- in decision procedures make the checker fast enough that this trade-off is justifiable. Using a traditional theorem prover, a small change at one step can cause a large Chapter 6. Conclusion 91 change in the expressions produced by proof tactics or rewriting heuristics leading to a failure in another part of the proof. In other words, a small change can lead to divergence from the original proof. In our proof checker, the user provides the rewritten forms for obligations at each step, and this tends to prevent such divergence. Often, functions are written to compute these rewritten forms. Like a well-structured program, a well-structured proof has well defined interfaces between the different functions and modules, and these interfaces make proofs robust to incremental changes. The observation that proofs can be viewed as programs suggests that a proof de-bugger could be implemented along the lines of a traditional program debugger: single stepping through functions, printing variables, and tracing back after a step is executed. Because the proof checker is implemented on top of a purely functional language, back-ward execution should also be possible. Tracing proof steps when a rule fails accounts for a large fraction of the time required to develop a proof. A debugger for the proof checker which allows users to single step an interface function and displays subexpressions within a proof state could benefit proof development. 6.3 T h e P o s t p o n e m e n t R u l e s The Postponement_rules were introduced to the proof checker before the checker was fully developed. Proof obligations which could not be discharged by the incomplete proof checker were moved to the postponed list and retrieved back onto the obligation list after the appropriate rules were implemented. Whi le experimenting with these three rules, it was discovered that they can be used to provide a lemma mechanism to the checker, to construct proofs with more structured layout, and to allow users to refer to obligations by name instead of by their index. As mentioned in the previous section, a lemma can be specified as a function and the Chapter 6. Conclusion 92 function can be executed whenever the lemma is needed. Alternatively, the corresponding obligation can be moved to the postponed list the first time the lemma is needed. This lemma can be applied from this list for each subsequent use. After the last use, the postponed lemma can be moved back to the obligation list to be discharged with one sequence of proof steps. These rules also allow the user to postpone tedious steps in the proof, sketch out the structure of proof, then retrieve and verify one piece of proof at a time. A s a result the proof becomes more structured and readable. Each postponed object in the list is tagged with a name. B y postponing al l obligations and retrieving only the obligation currently being worked on, users can work with names instead of indices. 6.4 V a r i a b l e s k e w v e r s i o n o f S T A R I p r o o f The S T A R I proof described in chapter 5 verifies a model of S T A R I which assumes that the clock skew between the transmitter and receiver has some arbitrary, constant value. A more ambitious proof verifying the variable skew model of S T A R I is under development. Functions are implemented to substitute similar proof sequences, and the Postponement-rules are used extensively in the proof. 6.5 S u m m a r y A simple proof checker was implemented on top of the functional language F L . W i t h a small set of inference rules and a simple type system, it is powerful enough to verify real-time properties of a communication protocol, S T A R I . A n "off-by-one" error was discovered in the hand-written proof. The design decision that requires the user to provide replacements for obligations and the Postponement_rules distinguish this checker from tradit ional theorem provers. They allow users to view proofs generated from the checker Chapter 6. Conclusion 93 as programs. B y providing decision procedures for predicate calculus and systems of linear inequalities, the checker allows the verified proof to closely follow the structure of a manual proof. The simplicity of the checker maintains the overall structure of a manual proof in its certified version. Bibliography Mar t in A b a d i and Leslie Lamport . Composing Specifications. In J . W . de Bakker et al. , editors, Proceedings of the REX Workshop, "Stepwise Refinement of Dis-tributed Systems". Springer-Verlag, 1989. L N C S 430. Flemming Andersen, K i m D a m Petersen, and J immi S. Pettersson. Program Ver-ification using H O L - U N I T Y (Progress Report) . In HUG '93: HOL User's Group Workshop, pages 1-17, U B C , Vancouver, 1993-Robert S. Boyer and J . Strother Moore. Integrating Decision Procedures into Heuris-tic Theorem Provers: A Case Study of Linear Ari thmetic . Technical Report I C S C A -C M P - 4 4 , Institute for Comput ing Science and Computer Applications, University of Texas, January 1985. R .S . Boyer and J.S. Moore. A Computational Logic Handbook. Academic Press, Boston, 1988. Randal E . Bryant. Symbolic Boolean Manipulat ion wi th Ordered Binary-Decision Diagrams. ACM Computing Surveys, 24(3):293-318, September 1992. R . M . Burstal l . Research in Interactive Theorem Proving at Edinburgh University. LFCS-Department of Computer Science, University of Edinburgh, October 1986. Cardell-Oliver, Herbert, and Joyce. U B C H O L Course, June 1990. Lecture Notes from U B C H O L Course, 4-8 June 1990. K . M . Chandy and J . Mis ra . Parallel Program Design: A Foundation. Addison-Wesley, 1988. Co l in Clark. Elementary Mathematical Analysis. Wadsworth Publishers, California, 1982. D . Cyr luk , S. Rajan, N . Shankar, and M . K . Srivas. Effective theorem proving for hardware verification. In Ramayya K u m a r and Thomas Kropf, editors, Preliminary Proceedings of the Second Conference on Theorem Provers in Circuit Design, pages 287-305, B a d Herrenalb (Blackforest), Germany, September 1994. Forschungszen-t rum Informatik an der Universitat Karlsruhe, F Z I Publicat ion 4/94. 94 Bibliography 95 David L . D i l l . T iming Assumptions and Verification of Finite-State Concurrent Systems. In Proceedings of the International Workshop on Verification of Finite State Systems (LNCS), Ber l in , 1989. Springer-Verlag. Karen A . Frenkel. A n interview wi th Robin Milner . Communications of the ACM, 36(l):90-95, January 1993. S.J. Gar land and J . V . Guttag. A n Overview of L P : the Larch Prover. In Proceedings of the Third International Conference on Rewriting Techniques and Applications. Springer-Verlag, 1989. David M . Goldschlag. Mechanically Verifying Safety and Liveness Properties of Delay Insensitive Circuits . Formal Methods in System Design, 5:207-225, 1994. Mark R . Greenstreet. Using Synchronized Transitions for Simulation and T iming Verification. In J0rgen Staunstrup and Robin Sharp, editors, 1992 Workshop on Designing Correct Circuits, pages 215-236, Lyngby, Denmark, January 1992. Else-vier. A n earlier version published as Matsushita Information Technology Laboratory technical report M I T L - T R - 0 1 - 9 1 . Mark R. Greenstreet. STARI: A Technique for High-Bandwidth Communication. P h D thesis, Department of Computer Science, Princeton University, 1993. A . G . Hamil ton. Logic for Mathematicians. Cambridge University Press, Cambrige, 1988. John Harrison. A H O L Decision Procedure for Elementary Real Algebra. In HUG '93: HOL User's Group Workshop, pages 428-440, U B C , Vancouver, 1993. Henrik Hulgaard, Steven M . Burns, et al. Pract ical applications of an efficient time separation of events algorithm. In ICCAD93, pages 146-151, November 1993. Henrik Hulgaard, Steven M . Burns, et al. A n algorithm for exact bounds on the time separation of events in concurrent systems. Technical Report 94-02-02, Department of Computer Science, University of Washington, Seattle, 1994. J0rgen Staunstrup and Mark R . Greenstreet. Formal Methods for VLSI Design, chapter 2. Elsevier Science Publishers B . V . (North-Holland), 1990. Sam Owre, John Rushby, Natarajan Shankar, and Friedrich von Henke. Formal Verification for Fault-Tolerant Architectures: Prolegomena to the Design of P V S . IEEE Transactions on Software Engineering, 21(2), February 1995. Christos H . Papdimit r iou and Kenneth Steiglitz. Combinatorial Optimization - Al-gorithms and Complexity. Prentice Ha l l , Englewood Cliffs, New Jersey., 1982. Bibliography 96 Kenneth H . Rosen. Elementary Number Theory, page 21. Addison Wesley, 1988. Carl-Johan H . Seger. Voss — A Formal Hardware Verification System User's Guide. Technical Report 93-45, Department of Computer Science, Univer-sity of Br i t i sh Columbia, November 1993. Available by anonymous ftp as ftp://ftp.cs.ubc.ca/pub/local/techreports/1993/TR-93-45.ps.gz. J . U . Skakkebaek and N . Shankar. A Durat ion Calculus Proof Checker: Using P V S as a Semantic Framework. Technical Report SRI-CSL-93-10, Computer Science Laboratory, SRI International, Menlo Park, C A 94025, U S A , December 1993. J . U . Skakkebaek and N . Shankar. Towards a Durat ion Calculus Proof Assistant in P V S . In G . Goos, J . Hartmanis, and J . van Leeuwen, editors, FTRTFT, volume 863 of LNCS, pages 660-679. S-V, 1994. J0rgen Staunstrup. A Formal Approach to Hardware Design. Kluwer, 1993. J0rgen Staunstrup, S. Garland, and J . Guttag. Localized Verification of Circui t Descriptions. In Proceedings of the Workshop on Automatic Verification Methods for Finite State Systems, LNCS 407. Springer Verlag, 1989. Jan T. Udding. Classification and Composition of Delay-Insensitive Circuits. P h D thesis, Eindhoven University of Technology, 1984. Tom Verhoeff. Delay-insensitive codes - an overview. Distributed Computing, 3:1-8, 1988. Appendix A User Manual The proof checker mechanically verifies existing proofs. It enforces the use of sound proof rules thus increasing the rigor of the proof. The checker is implemented on top of Voss [25], a hardware verification system developed by C a r l Seger of the University of Br i t i sh Columbia. Voss provides Ordered Binary Decision Diagrams which are used for boolean manipulation, linear programming which is used as a decision procedure for systems of linear inequalities, and a functional language, F L , which is used as an interface language to the proof checker. This document serves as a user manual for the proof checker. It concentrates on how to use the proof checker and does not go into details of the theory behind it. Section A.1 gives an overview of the structure of the proof checker. Section A . 2 explains how to start the system. Section A . 3 describes the syntax used in the checker. Section A .4 lists all the proof rules with their functionalities. Section A . 5 describes some interface functions which simplify the generation of proofs and some auxiliary functions which help to form new proof states. Section A .6 is a simple example of how the proof checker is used to verify a simple proof by induction. i A.1 Structure of Proof Checker The proof checker represents a proof as a sequence of proof states. Each proof state includes the hypotheses and claim of the theorem as well as any pending proof obligations. Initially, a proof has a single obligation, the claim of the theorem. B y applying proof rules, 97 Appendix A. User Manual 98 pending obligations are rewritten into simpler obligations or discharged. A completed proof has an empty obligation list. A proof state in the checker is composed of a claim, a hypothesis list, an obligation list, and a postponed list. • The claim is the main goal to be proven. This field associates the theorem to be proven wi th its proof. • The hypothesis list contains the hypotheses of the proof. These are stated at the beginning of the proof. No element can be added to or removed from this list once the proof is stated. • The obligation list is the list of pending proof obligations to be discharged before the claim is proven. Initially, this list contains exactly one element: the claim. The proof is complete when this list becomes empty. • The postponed list contains all unverified assumptions made along the course of the proof. Initially, this list is empty. A n obligation can be moved to or removed from this list wi th the Postpone rules described in Section A.4. Moving a proof obligation to the postponed list is the only way a proof obligation can be discharged without actually proving it. The postponed object can be moved back onto the obligation list to be discharged by a proof rule further on along the proof. When a proof is completed, all obligations on the postponed list are printed, and it is the user's responsibility to verify them. A.2 How to S tar t /Ex i t the System The proof checker is installed under / i s d / l o c a l / g e n e r i c / b i n / . To invoke the system, either add this directory under your path, update the path by typing source . c shrc , Appendix A. User Manual 99 and type checker or simply type / i s d / l o c a l / g e n e r i c / b i n / c h e c k e r . This command executes Voss and loads the F L files for the proof checker, loads the file with interface functions to the proof checker and returns wi th the F L prompt. To get an earlier version of the proof checker, type checker [ve r s ion*] . To load the system without the interface functions, the user wi l l have to execute and load the. core system manually by typing l o a d / i s d / l o c a l / g e n e r i c / l i b / c h e c k e r / s t a t e . f l . The core system only includes the core functions of the checker and does not include interface functions which ease state manipulation. In most cases, the whole system is desired. Al though the system is interactive, keeping a proof script is handy since regenerating a proof state can be time consuming. Once a proof script is generated, it can be loaded onto the system with the command l o a d " s c r i p t . f 1" ; assuming that the proof script i s n a m e d s c r i p t . f i . To exit the system, simply type q u i t ; after the prompt : as follows: : q u i t ; A.3 Syntax Used in the Checker Before a user can initialize and/or manipulate a proof state, an understanding of the data structures of different data types defined in this proof checker is needed. F L provides primitive types b o o l , i n t , and s t r i n g . For the purpose of this proof checker, more complicated types are needed. There are three main types defined in the proof checker: i n t e g e r , r e a l and boolean. See Figure A.12 for the definitions of these types. Note that the type constructors wi l l be infix operators in the near future. This section describes Appendix A. User Manual 100 the structures of these types and gives examples on how to declare variables and define the problem before starting a proof. The type int is the F L integer type described in Section 2.2 of [25], and the type string is the F L string type described in Section 2.8 of [25]. The type boo lean has the constants True and F a l s e . A boolean variable can be declared with the constructor b o o l as follows: b o o l " a " ; A reference to this variable can be defined as follows: l e t x = b o o l " a " ; In this case, x is a reference to the boolean variable b o o l ' ' a ' ' . Consider the following three statements: l e t a = b o o l " a " ; l e t b = b o o l " a " ; : l e t c = b o o l "c"; . The pointers a and b refer to the same variable b o o l ' c a ' ' , and c refers to the variable b o o l '' c''. The name of the pointer is not required to be the same as the string assigned to the boolean variable, although it is usually convenient. In t ege r constants are constructed wi th the constructor const followed by its integer value. For example, the constant 3 is written as (cons t 3). A n integer variable, x, can be declared as: : l e t x = I "x"; Appendix A. User Manual 101 <boolean> <integer> <real> ::= = True | False | bool <string> | Not <boolean> | Equal <boolean> <boolean> = = > <boolean> <boolean> Or <boolean> <boolean> A n d <boolean> <boolean> b_array <string> <integer> ' > = <real> <real> ' > <real> <real> ' < = <real> <real> ' < <real> <real> ' = <real> <real> ' <> <real> <real> $>= <integer> <integer> $> <integer> <integer> $<= <integer> <integer> $< <integer> <integer> $= <integer> <integer> $<> <integer> <integer> forall <integer> <boolean> const <int> | I <string> | Larray <string> <integer> | ++ <integer> <integer> | — <integer> <integer> | ** <integer> <integer> | i i f <boolean> <integer> <integer> rconst <int> <int> | R <string> | r_array <string> <integer> | '+ <real> <real> | '- <real> <real> | '* <integer> <real> | r J f <boolean> <real> <real> / / declare a boolean variable / / implication / / declare a boolean array / / real comparisons / / integer comparisons / / declare an integer constant / / declare an integer valued variable / / declare an integer array / / addition / / subtraction / / multiplication / / declare a real constant / / declare a real valued variable / / declare a real array / / addition / / subtraction / / multiplication Note: A l l binary operators are infix operators. Figure A.12: Definition of Boolean type, In t ege r type, and R e a l type. Appendix A. User Manual 102 -Real-is the-type for rational numbers. Real constants are declared as (r const n d) where n is the integer value for the numerator and d is the integer value for the denomi-nator. Real variables are declared the same way as integer variables except that they use the constructor R. W i t h these constants and variables, more complicated expressions can be constructed using the operations depicted in figure A . 12 A.4 Proof Rules Proof rules are the only way to manipulate a proof state. This section describes these rules. Section A.4.1 describes how to start and end a proof. Section A.4.2 lists the ten proof rules provided by the proof checker. Each function is explained with three fields: syntax, the function name and how it can be called, description, a brief explanation of the rule, and error message, a list of possible error messages resulting from the rule and the meaning of each of these messages. Error messages of the form ** <error message> ** are specific to a proof rule and other error messages, without the **, are generated from general subroutines used in different proof rules. A.4.1 To Start/End a proof: (Start.proof /Done) To initialize a proof, the Start-proof function creates a proof state from the claim we want to prove and the hypotheses of the proof. This function takes a boolean and a boolean list and returns a state. For example, if we want to prove (x > y) given that (x > r) and (r > y), then we would initialize the proof with : let state = (Start_proof(x $> y) [(x $> r ) , (r $> y)]); assuming that x, y, and r are of type integer. Appendix A. User Manual 103 A proof state can be viewed with the function (print-State state). This function takes a proof state and returns a string listing the four fields in the proof state. After ini t ial izing the proof with Start_proof, we manipulate this proof state through other proof rules unti l the obligation list .becomes empty. When the obligation list be-comes empty, we can conclude the proof with the function Done. (Done state) takes the proof state, state, makes sure the obligation list is empty, and prints that the claim has been proven subject to any assumptions that were added to the postponed list in the course of the proof. For the above example, we would get the following message when the proof is done. : Done state; "(x $> y) is proven with the unverified postponed objects: II In this case, there is no remaining postponed object in the proof. 1. Start Proof: syntax: (Start_proofclaim hypothesis_lst) description: The function Start_proof creates an ini t ia l proof state from the claim and the list of hypotheses. error message: This function does not generate any error messages. 2. E n d Proof: syntax: Appendix A. User Manual 104 (Donestate) — description: The function Done confirms verification of the proof by checking the obligation list and the postponed list. It gives warning if debug mode was used in generating the proof. This mode is explained in Section A.4.3. error messages: ** done: currently in debug mode ** indicates an attempt to end proof in an invalid mode. WARNING: Part of this proof was generated in DEBUG mode. Soundness is not guaranteed. indicates that the proof may not be sound because part of the proof was generated in a mode designed for proof debugging. A.4.2 The Ten Proof Rules This section describes the proof rules provided by the proof checker. Note that al l proof rules are functions which take an index (or indices for the PC_rule) to the old obligation list together with other auxiliary information and return a state of type .state. 1. Linear Programming Rule: syntax: (applyJLp n state) description: The Linear Programming Rule is a discharge rule. It requires that the nth obligation of the proof state is of the following form: ((Not a) And b And c And ...) Equal False Appendix A. User Manual 105 where a, b, and c are linear inequalities or negations of linear inequalities. If the obligation holds as a tautology, the rule simply discharges it as a pending proof obligation, resulting that the obligation list reduces its size by one. Otherwise, the rule fails. error messages: ** LP Rule Failed: obligation not of form b Equal False ** indicates that the structure of the proof obligation is of neither forms mentioned above. ** LP Rule Failed: system is feasible ** indicates that the obligation cannot be discharged because i t is not a tautology. Element not in the l i s t indicates that there are less than i hypotheses on the hypothesis list. However, note any other rule can produce the same error message when the index of the obligation list is out-of-bounds. 2. Predicate Calculus Rule: syntax: (apply_PredicateCalc index-list predicate-list state) description: The Predicate Calculus Rule is a replacement rule. It takes as its arguments a list of indices of the obligation list, index_list, a list of boolean expressions, predicate-list, and the proof state, state. If the conjunction of the list of boolean expression of predicate-list implies the list of indexed obligations, then the indexed obligations are replaced by this list of boolean expressions. Then the indexed obligations are removed from the obligation list, and predicate-list is Appendix A. User Manual 106 inserted into the obligation list where the first indexed obligation was before the removal of the old list. error message: ** Predicate Calculus Rule Failed: expressions do not imply obligations ** indicates that the desired implication does not hold and the replacement cannot be done. 3. Instantiation Rule: syntax: (instantiate n k state) description: The Instantiation Rule is a discharge rule. It requires that the nih obligation is of the form V P =>• Q. It discharges the obligation if Q is a proper instantiation of V P wi th the instant k. Otherwise, the rule fails. error messages: ** Instantiate Rule Failed ** indicates that Q is not a proper instantiation of V P . ** Instantiate Rule Failed: obligation not in the required form foral l P ==> Q ** indicates that the structure of the proof obligation is not of the form V P =*> Q. 4. Skolemization Rule: syntax: (apply_skolem n skolemized_expr subexpr i skolem_const state) endix A. User Manual 107 description: The Skolemization Rule is a replacement rule. It takes as its arguments the index of the targeted obligation, n, the desired resulting replacement, sko lemized .expr , the universally quantified subexpression to be skolemized, subexpr, the quantifier to be skolemized over, i , the proposed skolem constant, skolem_const, and the proof state, s t a t e . Note that universal quantification, in the checker, is always over all integers. The rule skolemizes the obligation or a subexpression of the obligation. Val id choices for the skolem constant are variables that do not appear free in the targeted obligation or on the hypothesis list. If skolemized_expr is a valid replacement, then the nth obligation is replaced by it. Then skolemized_expr becomes the nth obligation in the new state. Otherwise, the rule fails. error messages: ** Skolem Rule F a i l e d : skolem cons tant i s a f r ee v a r i a b l e i n hypo the s i s l i s t ** indicating that the proposed skolem constant already exists as a free variable in the hypotheses on the hypothesis list. ** Skolem Rule F a i l e d : skolem cons tant i s a f r ee v a r i a b l e i n e x p r e s s i o n ** indicating that the proposed skolem constant already exists as a free variable in the targeted obligation. ** Skolem Rule F a i l e d : unable t o do replacement ** indicates that the proposed replacement does not match the expected result struc-turally and that the replacement cannot be done. Appendix A. User Manual 108 ** Skolem Rule Failed: not universal quantified expression ** indicates that subexpr is not a universally quantified expression and cannot be skolemized. 5. Induction Rule: syntax: (induct n k base [b, up, down] state) description: The Induction Rule is a replacement rule. It provides a mechanism to reason by mathematical induction over integers. It replaces the nth obligation, which must be a universally quantified expression, by three new obligations: one for the base case, one to induct up, and one to induct down. This rule takes as its arguments the index of the targeted obligation, n, the quantifier of the resulting universally quantified expressions for the induction steps, k, the base case value, base, the list of expected results (the base case, b, the case inducting up, up, and the case inducting down, down), and finally the proof state, state. The rule rewrites the nth obligation of the form Vi .P(z ) into (a) P(base) (b) V*.((fc > base)And(\/j e {base, k - 1}.P(J))) — P(k) (c) Vfc.((fc < base)And(Vj e {k + l,base}.P(J))) -» P{k) After the replacement, the base case, the argument inducting up, and the argu-ment inducting down become the nth, the (n + l)th, and the (n + 2)th obligations respectively, and the old nth obligation is removed from the list. Appendix A. User Manual 109 e r r o r messages: ** Induct Rule F a i l e d : proposed index i s a f r ee v a r i a b l e i n e x p r e s s i o n ** indicates that k, the proposed quantifier for the universally quantified expression is a free variable in the original obligation and that it is an illegal choice for the quantifier. ** Induct Rule F a i l e d : i n v a l i d r e w r i t e f o r base case ** indicates that b is not a valid rewrite for the induction base case. ** Induct Rule F a i l e d : i n v a l i d r e w r i t e f o r case i n d u c t i n g up ** indicates that up is not a valid rewrite for the case inducting up. ** Induct Rule F a i l e d : i n v a l i d r e w r i t e f o r case i n d u c t i n g down ** indicates that down is not a valid rewrite for the case inducting down. ** Induct Rule F a i l e d : not u n i v e r s a l l y q u a n t i f i e d e x p r e s s i o n ** indicates that the nth obligation is not a universally quantified expression as re-quired. 6. D e f i n i t i o n R u l e : s y n t a x : ( b y - h y p o t h e s i s n i s t a t e ) d e s c r i p t i o n : The Definition Rule is a replacement rule. It allows users to retrieve information Appendix A. User Manual 110 from the hypothesis list and apply it to a specific obligation. It takes as its argu-ments the index of the targeted obligation, n, the index of the hypothesis to use, i , and the proof state, state. This rule replaces the nth obligation, obligation(n), by the new obligation, hypothesis(i) ==> obligation(n), where hypothesis(i) represents the ith hypothesis. If the ith hypothesis exists, the old obligation is re-moved from the list and the new obligation becomes the nth obligation in the new state. Otherwise, the rule fails. error message: Element not in the l i s t indicates that there are less than i hypotheses on the hypothesis list. However, note any other rule can produce the same error message when the index of the obligation list is out-of-bounds. 7. Postpone Rules: The Postpone Rules manipulate the postponed list. This set of rules allows the user to move ahead in a proof without actually proving an obligation. Another use of these rules is to postpone proving an obligation that appears more than once in the course of the proof. The user then discharges the obligation with one sequence of proof steps. There are three rules in this set: postpone, by .postponement, and retrieve. There is a name associated with each element in the postponed list, and these three rules refer to the postponed objects by their names. • syntax: (postpone n name state) description: The function, postpone, discharges the nth obligation by moving it onto the postponed list and assigns it the name, name. If the name is already associated Appendix A. User Manual K 111 with a postponed object, then it checks to see if this new postponed object is logically related to the old one. If the new postponed-object implies the old one, the old object is removed from the postponed list and the new one is added to the front of the list. If the old postponed object implies the new one, the postponed list is not changed. If neither case holds, the rule fails, error message: ** Postponed Rule Failed: name already existed for unrelated assumption ** indicates that the name is already used for a postponed object which neither implies the targeted obligation, nor is implied by the targeted obligation. • syntax: (by-postponement n name state) description: The function, by-postponement, is similar to the Definition Rule. Instead of retrieving information from the hypothesis list, this rule uses an assertion whose justification has been postponed. It looks up the postponed object named name from the postponed list and replaces the nth obligation, obli-ga t ion^ ) , by postpone (name) ==> obligation(n), where postpone(name) represents the postponed object tagged with the name name. error message: ** By Postponement Failed: failed to match name ** indicates that the suggested name given is not a name for any postponed object on the postponed list. • syntax: (retrieve name state) Appendix A. User Manual 112 description: The function, retrieve, moves the postponed object named name from the postponed list back to the obligation list to be discharged by other proof rules. The retrieved postponed object is inserted to the beginning of the obligation list. error message: ** Retrieve Failed: failed to match name ** indicates that the suggested name given is not a name for any postponed object on the postponed list. 8. Equality Rule: syntax: (apply.equality n result state) description: The Equali ty Rule is a replacement rule. It takes as its arguments the index of the targeted obligation, n, the expected resulting replacement, result, and the proof state, state. It rewrites an obligation of one of the following forms: (bl Equal b2) ==> f(bl,b2), ( i l $= i2) ==> f ( i l , i 2 ) , or (rl '= r2) ==> f ( r l , r 2 ) , where f represents an arbitrary expression, into expression with the same structure while using (bl,b2), ( i l,i2), and (rl,r2) as interchangeable pairs. Some of the valid rewrites for obligation ( b l Equal b2) ==> f ( b l , b 2 ) are: Appendix A. User Manual 113 (bl Equal b2) (bl Equal b2) (bl Equal b2) (bl Equal b2) => f(bl,b2), => f(b2,bl), => f ( b l , b l ) , => f(b2,b2), e r r o r messages: ** Equality Rule Fai l e d : i n v a l i d rewritten form ** indicates that r e s u l t does not structurally match any proper replacement resulting from this rule. ** Equality Rule Fai l e d : obligation not of form i=j ==> f ( i , j ) ** indicates that the structure of the proof obligation matches none of the forms men-tioned above. 9. I f R u l e : s y n t a x : (rewriteJf n re s u l t state) d e s c r i p t i o n : The If Rule is a replacement rule. It rewrites the nth obligation as.follows: , . , _ , , x becomes ( x _ i f True a else b) — • a, and (x _ i f False a else b) be^HXes b, where x _ i f is any of b_if, i _ i f , or r _ i f . Then the rule checks to see if the expected rewrite, r e s u l t , is legal. Appendix A. User Manual 114 error message: ** rewrite i f ' s Failed: invalid rewritten form ** indicates that the proposed replacement, result, is not a legal rewrite. 10. Discrete Rule: syntax: (apply-discrete n state) description: The Discrete Rule is a discharge rule. It is used to exploit the discreteness property of integers. It discharges the nth obligation if it is of the form (x $> y) Equa l (x $>= (y++one)) or (x $< y) Equa l (x $<= (y—one)). where one is defined to be the integer constant 1. error message: ** apply.discrete Failed: obligation not in correct form ** indicates that the obligation cannot be discharged because it is of neither of the forms mentioned above. A.4.3 Proof Debugging: debug mode Running a proof in the proof checker takes time. It would be time consuming if the user is required to run a proof from the start for every error in the proof script. The debug mode allows the user to manipulate proof states without verification. After correcting an error, the user can re-execute previously verified parts of the proof script where proof steps are not checked. Since the proof rules replace and discharge obligations as requested without verification, execution in this mode is very fast. Normal execution is resumed Appendix A. User Manual 115 when the modified portion of the script is reached. A n y proof states derived from proof rules executed in debug mode are marked as untrustworthy. Thus, when the entire proof is debugged, it must be executed again with every step checked for the theorem to be certified by the checker. The functions begin_debug and end_debug set and reset debug mode. The function begin_debug takes a state and puts it in debug mode. The function end-debug takes a state and puts it in normal (default) mode. It is not required to have matching pairs of begin_debug and end-debug in the proof. Using begin_debug in debug mode does not alter the mode. Using end-debug in normal mode does not change the mode either. At tempting to end a proof in the debug mode is an error. The function Done requires a proof state to be in normal mode. A.5 User Interface O n top of the core system, there are a few user interface functions and some auxiliary functions to ease the tedium in generating proof scripts for the proof checker. The first part of this section lists the interface functions, and the second part of the section describes the auxiliary functions accessible to the users. A.5.1 Interface Functions There are three sets of User Interface Functions: Case Analysis, Unchanged, and Print Abbreviation. There are certain proof techniques that utilize the same or similar sequence of proof rules, and manipulate proof obligations in similar ways. Each set of interface functions reduces the number of proof steps by encapsulating a specific sequence of proof rules and manipulations of the proof states in one function call. Since these functions, like simple proof rules, provide functionality to discharge or simplify proof Appendix A. User Manual 116 obligations, we describe them in the same way as the ten proof rules in Section A.4 .2 . For each set of interface functions, we present its syntax, give a description of its functionality, and list possible error messages produced by the functions. 1. Case Analysis: There are two versions of Case Analysis: one over booleans called C a s e A n a l y s i s , and the other over i n t e g e r s called C a s e A n a l y s i s 2 . • syntax: ( C a s e A n a l y s i s n case s t a t e ) description: Case Analysis is like a replacement rule. It takes as its arguments the index of the targeted obligation, n, the case to apply case analysis on, case, and the proof state, s t a t e . It splits a proof obligation, into two separate obligations: one wi th case being True, and the other wi th case being F a l s e . A proof obligation, P, becomes: (case Equa l True) = = > P and, (case Equa l F a l s e ) = = > P. In place of the nth obligation, P, (case Equa l True) = = > P becomes the nth obligation, and (case Equa l F a l s e ) = = > P becomes the (n+l)th obligation in the new proof state. error messages: This function does not generate any error messages. • syntax: ( C a s e A n a l y s i s 2 n i 1s t s t a t e ) Appendix A. User Manual 117 description: C a s e A n a l y s i s 2 is like a replacement rule. Given a monotonically increasing list of integers, it enumerates all possible values for a variable and applies case analysis over that variable. This interface function takes as its arguments the index of the targeted obligation, n, the variable, i , over which to apply case analysis, the list specifying the desired integer ranges, 1s t , and the proof state, s t a t e . Given the integer ranges [ x ( 0 ) , x ( l ) , . . . x(m)] , the nth obligation, o b l i g a t i o n ( n ) is replaced by the following list: ( i < x ( 0 ) ) ==> o b l i g a t i o n ( n ) ( i < x ( D ) And (x(0) <= i ) ==> o b l i g a t i o n ( n ) (x(m) <= i ) And . . . And (x(0) <= i ) ==> o b l i g a t i o n ( n ) In place of the old nth obligation, this list becomes the nth, (n+l)th ... (n+m)th obligations in the new proof state. error messages: This interface function calls apply_PredicateCalc and apply.lp; therefore, it can produce the same error messages these rules generate. 2. Unchanged: syntax: (Unchanged n hyp value state) description: In many cases, an obligation can be discharged by instantiating a hypothesis. This Appendix A. User Manual 118 function takes the index of the targeted obligation, n, the index to the desired hy-pothesis, hyp, the value to instantiate the hypothesis by, value, and the proof state, state. Then it tries to discharge the obligation by instantiating the hypothesis by the given value. error messages: Unchanged calls the Predicate Calculus Rule, the Definition Rule, the In-stantiation Rule and the Linear Programming Rule, therefore, all error mes-sages generated from these proof rules are possible error messages for this interface function. ** Unchanged Failed: instantiation and obligation match failed ** is an error message generated exclusively by this function. It indicates that the hypothesis cannot be instantiated to structurally match the obligation. 3. Print Abbreviation: In many cases, expressions in a proof state can be large and difficult for the user to read. Pr int Abbreviat ion is a set of functions which allow users to introduce abbreviations for expressions. • syntax: (abbrevBool abbrev expr abbrev_lst) (abbrevlnt abbrev expr abbrev_lst) (abbrevReal abbrev expr abbrev_lst) description: Functions abbrevBool, abbrevlnt, and abbrevReal introduce abbrevia-tions for boolean expressions, integer expressions, and real expressions respec-tively. They take the proposed abbreviation, abbrev, for an expression, expr, Appendix A. User Manual 119 and add it to the abbreviation list, abbrev_lst. W A R N I N G : This set of functions does not check if the proposed abbreviation is already used for another expression. Since this is an interface function, it does not affect the soundness of the proof checker, however, it can create confusion if one name is used to represent two different expressions. error messages: There are no error messages for this set of functions. • syntax: (Bexpand b abbrev_lst) (Iexpand b abbrev_lst) (Rexpand b abbrev_lst) description: Functions Bexpand, Iexpand, and Rexpand print abbreviations for boolean, integer, and real expressions respectively in their expanded form. The argument b is the abbreviation for an expression, and abbrev_lst is the abbreviation list where al l the abbreviation-expression matches are stored, error messages: "no such abbreviation" indicates that b is not defined as an abbreviation for any expression. • syntax: (display_abbrev abbrev_lst) description: The function display_abbrev shows al l abbreviation-expression matches. This shows all possible abbreviations which can be used in an expression. Appendix A. User Manual 120 error messages: This function does not generate any error messages. • syntax: (print_abbrev abbrev_lst state) description: The function print_abbrev displays a proof state in its abbreviated form, error messages: This function does not generate any error messages. A.5.2 Auxiliary Functions The proof rules which rewrite proof obligations require proposed replacements from the user. Generating expressions can be a tedious job. The proof checker provides four functions to retrieve different elements from a proof state, and functions for minor mod-ifications of expressions. The four functions which retrieve elements from a proof states are: 1. (getobligation n state) which retrieves the nth obligation from the obligation list in state. 2. (getpostpone n state) which retrieves the nth postponed from the postponed list in state. 3. (gethypothesis n state) which retrieves the nth hypothesis from the hypothesis list in state. 4. (getclaim state) which retrieves the claim from state. The auxiliary functions replacelnt, replaceReal, and replaceBool are replace-ment functions, (replacelnt expr i l i 2 ) replaces al l occurrences of the integer valued Appendix A. User Manual 121 subexpression, i l , by the integer valued subexpression, i 2 , in the boolean expression, expr; (replaceReal expr r l r2 ) replaces all occurrences of the real valued subexpres-sion, r l , by the real valued subexpression, r2 , in the boolean expression, expr; and (replaceBool expr b l b2) replaces al l occurrences of the boolean, b l , by the boolean, b2, in the boolean expression, expr. The functions lhs and rhs take a boolean expression of the form (a ==> b) , and return the left hand side of the implication, a, and the right hand side of the implication, b, respectively. Appendix A. User Manual 122 A.6 Example This section shows how the proof checker can be applied to an induction proof by proving the following: n y '^/t — fn+2 — 1 i = l where /» is the ith Fibonacci number, and n > 1. This example is from [24]. This claim can be proven by mathematical induction. The base case where n = 1 I follows since ] P fi = 1 and this is the same as / i + 2 — 1 = /3 — 1 = 2 — 1 = 1. The i = l n induction hypothesis is ^ fi — fn+2 — 1. We show that under this assumption that i = l n+1 Ylfi = fn+z - 1 as follows: n+1 n +1 i=l i=l = {fn+2 — 1) + = (/n+1 + fn+2) ~ 1 = /n+3 - 1-We have followed this manual proof as a guideline to produce a checked version. The following is the script for the machine checked version. This file can be found under / i s d / l o c a l / g e n e r i c / l i b / c h e c k e r / e x a m p l e s Appendix A. User Manual 123 in Tt o o. Q . </-> Q . cm p •S = . . rt — . i*Cf OJ p t 4 . rt Q — c JZ 'B — II II t/l l/l ISi — OJ 03 O 3 O C L ; xs . II oj a. o\2r T3 OJ a. i o • S + + 2 ° c 2 II •5 11 o ^ II II JiS P ° < «* 2 \ 3 ' c i S g. A 2 2 ]= = 2 co •c a. U a-UJ . a. ' 1 i A II A 11 o ?j <L> X l O 00 II < O e E OJ II _ o o N g «* o O N O g rt H ^ | p •c O . Tt — T3 13 OJ a> &Q 00 p c rt rt •c -c u u 3 3 II II u u rt ra u e o o u c O it -o ^ 2 " u — cr "B. OJ II a) 9- « II s °-2 -u — .29 >, S I — C T = U | 8 * rt C-. o. S-II k- t/i 2 2 o tS w 3 S - c £S - s S E E E E 3 3 •o -a 5 CL, 2 K OJ _ ~ ar eo a. ^ n II U E 3 O _ X l <^  ~ + u 8 ~ a £ n J . 2 i * — _ o II S <" Q . E E E 3 •a N o II II - E II E g g .3.3 II n X l A II II V c < A II X I — rt 2 ,P + + II u a> c s o o rt OJ O fe3 5 OJ QJ O U O II w ^ X ) II II C <S — . ( N O 0 X l X l X j OJ c C s o o o — c II = " o c c o o *— M« O C N + < E 3 O ^ II II A ~* « - A 11 ^ II P 2 H o rt 3 OJ OJ 2 w h h o O C o « E X 1= X i IS u p o kv. QJ § 3 Q . M l 2 II t S " TO 2 5 y 2 co " 2 w J • § 2 J " S S " _ -a o OJ w P k. k« 1= ^ II •g -s,«» u ra u OJ II o o 2 ^ E 2 — Appendix A. User Manual 124 u c o o 2 w co ca ts 55 2 CO CO W. Vi >> E E E £ • 3 3 TJ TJ — CN TJ TJ 0 0 0 0 c c CO CO u o . c c 3 3 II II 2 £ 2 2 Vi Vi "a. oo ll J CO Vi Cu 0 s -= 2 1 CJ" ' A o. ° J t + co g II o cj £ -2 u CO CO CO w M to 3 u " - ° .2 % « — .2 3 c o o ^ o CO w -7* O . ft- 0 0 + CO o u _ 59 >, S I — c r £ u, 8 i co a . "B. 2-^ II ll u &3 c •a 2 CO « . 0 0 ^ 2 °-2 " CO -ts •£ « w 3 u a-co a . "B. S-o «s II II <u &3 £ Vi _ CO "5 3 ^ 2 !-c 3 « _ 3 c r o u, S >l ± "B-+ Cu O CO S ll ^ 3 to c r U m 2 8 "g TJ O ^ l l >. O "B ± -5 g a . w —| 11 a . g . - w CO CO 3 — to 2 « i f © 1/5 k. X u o CO = M ts 2 -- £ E c I " .2 E o CO — t/5 oo o i ; f \S >> £ . . 2 ll S t S Cu t> u- ca w = "> 5- II I rj it — I 2 <*> « I c *c a . M Z2 c o o c w o c II = A o c u. II > 'E J U JiJ ^ ^ C O + + o £ CO c o CO CO oo s 2 S u — 59 >, V3 -S § w a -g >.2 co a . 2 B. 2- " o ra u 8" 2 J I- 1/5 c — — CO CO U U . 2 ™ « 3 = • .2 q-S TJ UJ O S A . . C U , g II S J o » " J — II « &JI 8 - M ^ O C - g || .2 o — n. + t> a—, I OO I + c = ^ S o x> ~ S + • S " B . «3 + 2 S N + co - o 2 CO Vi ? " B I 2 2 xi 3 '—' — I 2 CO c • s 2 "eo « M tn 3 a . 2 2 59 >, cn ™ S I _ c r 8 co o . 2 a , £ • •* CJ w 11 2 55 & 2 I CO JL> j y Q_ <u _a> a . ^ ^ CN a . • Vi 'vi CN U o + C o . ^CN f is' II x> E + 3 C . „ CA de: acc get c ( A o CN TJ x> C IS • ha of + II c ' > 0 0 _o •c 11 '5 C C M lat efi II II 3 T> _o U Vi c CO u 3 5 : 5 ; to cn 'vi O D. „ O I 2 > » cn •° o II CO 2 55 2 J v> c 2 2 VI Vi ~Vi o >. oo II i?.E o o + + u c o + + "cj c 0 1 'o I + i s c o w . "co u 2 CO o TJ u i— a. i _>, "H. a . CO c o o + + c c §•§ to — « II •= £ - c CO rt ^ a 3. A •sff II o 2 CO 2 CO  ^-s U II a - » g 2 j= c 2 55 co i ' vi | to c 2 'i. U - -0) 4> <U — co t o « J — — O « « ^ tt- UL £^  « « i cr 1 ? ? D. ° = « ! § n n . 2-u l ' u ' o 0 0 I + + A II II A II II A 'a> II C A " ° h c II II o > — II " •; II > ^ A * * -f £ e g CJ I JL O = > > ^ S ii i i 2 u c o i^2'"0 I! " O o ° - 3 2 Z Z **" w > — ' ~ CO O i/i 2 5 Appendix A. User Manual 125 « S c o O i + ' + ?5 « + Ob I § ll V vi •S3? SO SO II II 11 ' £• I m " >-, Q . o. o. co II u X I O A II II >/-> a. x: • D C < a. + - 2 + + £ 2 co J = - I o a. .„ >^ QJ "S3 >-» co x> 0 II CO 2 co —' (fl W *J o a. o + + U o u '•3 SJ fci "S. a. CO OJ • + 2 d £-11 I I ?sr< 5 -S 2 x: sr + a) S * O + 602 . X w (rt .(fl (rt C ^ W § ! A 2 2 II II II a - u -Jl 2 x?.= 2 £ ' II xi 2 Vi O oo c •c a. u. co !? T3 fS" 4) a. I u X ? o a. + a. CO XT* t o CX Q . — CO c w o — w — S.~2? a. CT ,n II i > ViVi £ ? 9 II A o 2 *» S a. Si-1 s >> I I 00 | | II o o ts l i 5 S t ? z z « + o 2 2 co ca ^ CO _c o. a o 2 + tS + .2 " w co C ,00 " x: w a., 2J o >r O o co w co > C T co 2 5 a . &&± s-II S- -x " II x: (A a) 9 - w w « A II II A II II a. :—: o 5 < II o + + o OJ o ll A : vi + + c c o vt *™ M O II II II V ? V ^ L , «>«> ^ O g s o + ! + Si" w o T 3 ! c < s c ^ II Vi A ^ c ? 0 ! 1 -x 0. I >. "a. a. o + + J X ll T 3 C o 8 I n o •= — > . w 2 S ll A .« 3 ll ll 111 -g tS cr o § c U J A o II > * * W 2 5 4 /1 CO 1 ' I a. a. c o . II A oj c O OJ t ! OJ C J X o -•iff a. ^ QJ ^ > w OJ ^ « + w 2- A I D . cj J5, co _ca — 0 ?5 1 § + o + , o o • • a + 'is + T- II w Jl J<! V» w W . •». ^ II Vi A II II -x ^ ^ ^ (A o || OJ — a a-2 >> 2 2 •c *-"8 e 2 S^ S-CO CO j - S S o + 5 -S s + ^ (fl ^ is? o o 2^-A w II w II A II II co m 2 J? £ oo ^ OJ 2 o 2 + tS + c .2 o 13 =t .^S? + £ S +. OJ S OJ y o c J5 oo o OJ (fl ^ ^ x: (fl a. OJ 3 C T OJ o. 2 C l , (A CO Q_> CN + (^  "7 w + **- ^ II -sr II C H CN . ^ + M (fl (fl (A CN + OJ 2 co - — co I -5- 5. + w o •xt 11 + c a. Appendix A. User Manual a. >> oo c , , X l 2 2 Vi CO u ra o •a u f te; a . « C L (fl ra U II M u do ra J c pn ts + M (fl —• M —c (fl 5 II » 2? 2 b* -£."5 eS •» c tS oo ,. 2 ] - II ra o ra (fl *-» * ^ 5; J . o. oo C X I * 2 o o •o oo 11 M Vi -5 (A k-X • S u i ra — 2 E i J . E o -= « ° ;r o. 2 u. ra 0 g - II S u , 2 co j< 2 J (fl (fl « | o. o ra CO ^ a ° c t II I A I J_> O a . ra <>"» II 2 5 ra 2 2 2 co o •a Appendix B Proof Script for S T A R I B . l Proof Script for the Transmitter Transition 127 Appendix B. Proof Script for STARI 128 XI V „ V Vi S O J O CQ CO CO .o II — A A _ S « s Z II x> ra re "3 2 — 3 = 3-3 i) u Ji 8-1 X I A 3 II V Vi II A Vi II XI o c o 'B o Q + 2 Q 3 + T3 u Q . II D. II V co S § ° 5 fl 1 c C L | | a? ^ « •= I = « + 1 1 « Q Q - JJ o = — re .o tt. o . O =• II = C T3 V V •= S A o « o •— a j= — CN C l Tt i n vo S I : : H = * S II II n n cn -<t i n vo j= j= j= J = «3 o <5 "5 D. a. 5 ^ II II — CM VO J = vn j= Tt J = cn j= CN II xz o. + S- 2 -+ v a> 3 .S =>"> " ' -—\ V u 11 5 — re U A "S 11 o U o re tt. o + + .S o II S £ _ o > S i ¥ o. cr + + «"<=• o > N ^ § 3 "u °" 2 c uj .5 'i S " g -O B . re 2 .2 J = 3 E u. u re m ram u — > I I I II 3 B S « -= •§ S i ) - 1 •a c < i i "a ~ ll < •o + 0 0 re — A A "a. W II + ?5 M -? I 5 x g - = ? = « | 2 ^ 3 w o re re o z II « y 1 £ 1 ll 2 — ll ll oo Xl c w JO "E _ - ' 5 I J J J c o" a> N "re II ,o c CJ CJ V o H O Z II _ o .2 + 3 — 3 re vi re II > A ^ 3 S 2 ^ V A A V I A < f-1ZI re CB 2 3 = 3-o" cr ST u u 2 g o " o « O — CN J O — _ — C3 wi cn (/) •c S 5 5 « o S T ^ . ' 0i || c . . cj • - : vi S re >< re « r 2 t ^ li B i t •a j<: CO •a x O vy cn cn cn X X X 1- II II II o o 3 ? > =c "E p li II 1 1 -a 1 1 c II II " 11 "I 11 re N| 3 CO XI T5 E — 3 w J>! C II II 2 5 - ^ X) C J U U U U U C J U V C J C J U V O U C J "C 5^ = u || o > 2 tv c o X II A II X K re p Appendix B. Proof Script for STARI 129 A II II XI X! 3 XI o l i -+ + c 3 £ 3 II 2 II V > ? + Wl > u c o + + > o Z II c ™ A 6 A g S -o o .= "5 i i ll o II o 9 > •o o i . r z CB —. o La 1) _ o Z N 3 « y— 2 CJ II u c ? + c o + + a -; e CJ Wl _c II to La I— ~H ^ II ^  ? I ' - a S I * II •o c <-« ra o> •» • a w •a E I 1 - + D l < I W N + 73 ll . *o • CJ Wl c w 3 wi C C 3 < lis CO ^ JE -OE T J T J .2 C e o <<*s T J g « Q. o l £ « Cm —1 S to wi u II CO 2 55 n E [3 CO "I CB «l c S i . I .2 "CB CB T J U Xl T J U £ O S - " =5 - J = to . » o. S,.s £ a. I i co co £2, wi II CO 2 XI o XI o vi £ CO 55 j c •c CL 2 ~ * •s § u i i « J* E o "> a -• - « a o i l."> M £ a .1 s-« •5 J J « • Wl Wl Wl — V u u •c CL c < — ^ Wl CO u II CL>— o + o = < o —, e + £ < C T J c -> a I •* >,.E i !_T -i?-° CO ^ 3- A > > •? $ < 2 I Wl ~ 3 o - a ca I — i T J t j V Wl •5 =! J II o. w l CL + ^ C cj 3 w i 2 E II v CO _ II II v — £ O I I N cj ? 2 £ 2 '5 ~ CO Wl o U. 55 u g I + c c w w C 3 u 2 c CJ c o ^ 2o~ II H S ? c u e o S w + 5 -s, • c i l l l II 2 T J S -5 ^ 5 1  E CL + II v CJ c • o > o Z CJ o V C y — N § II S i 4 ) — o + + > o Z II to £ I II > V> >, 'u „ c o o Z + c = • c i 1 •= UJ CJ XI 3 XI •- o "CJ II C o ' CJ .J. c i i o 51 x is T J + Appendix B. Proof Script for STARI 130 4> /—v «-» (A <U n II <" te co •"3 u II ~ -s •o "ra C 3 ^ U J o < s ^ tu I S I _>> CL n. > .. =o ; <= II A o> 3 J£ tO to — " .7 v II V) Vi II" II ~ V g IT + <* + i 2 5 o o. V 3 te " - l o J< a » •a u- c s r <3 a> A N n I! A A <^  co _= w CO lx> - X CL <« a, = 3 CO w is CL A X I I ll i— CL •n CL II CN a. x u o to It 2 QJ CA OJ II ra 2 55 ra J «) n c ll o U . uT 2 ^  i s E 3 «J N QJ C . II J2 -a1 •>. i —>t> H = ; i u — N co ; c II 2 S ra ra t u T ^ i S 2 II 5 + *e N + a 3 ra <£. 3 3 g-O —1 II T OJ 8 ra J= in O _ ~~ QJ < ii § 8. v 8 D | 1 *e 5 is 3 s + A r I # 11 3 QJ P. § 3 + <* + cn c — 8. -c . II V) c — 2 5 CO 2 x CL I "E. CL CA QJ CL •c CL CL "5.2 C co II CS 2 .J x CA e Q> J H £L J H '5 *= x — u to S .s--| QJ OJ J- QJ . . ra i u u -E w Q> 1 / 1 W II a CN " « x 2 j O w e -5 JH '& o CL ^1 U CL CA ra w II ra a 55 o CL >. x: I >» x> x I >. X) II OJ cr UJ ll A Vi o V X T3 co C U < a v a - vi >1~. &" QJ 2 V. Cl. u" " l >. ij ra CL ra «A CL CA u O QJ 2 II ra 55 QJ 55 j ra j c "55 c pri let ud II V c < ra c U o QJ " ra II y v QJ C o, II V ' Vi ra OJ N i -S o 3 ff I *9 OJ QJ >i iS ra —, T3 N o""l QJ CA S" Er-x £ - _ U J JS. II u I 3 ll b H I - _ ^ ra cr!t: U- UJ J £ A CJ ll S UJ N || II Vi O ra CA QJ — OJ CO. QJ ra CA ts U CA CL T3 CL ^ < ^ CO tS CA W S~ OJ tate; 1 "E. tate; CL 3 i "E. tate; CA CL CA CL CA CL CA QJ ra QJ « QJ ra ra II 3 II CO II ra 55 QJ 55 a a 55 j CO — i 3 w1 ra j c CA c CA £ CA c •c let •c let •n CL let CL let CL E II Vi CA ?i a QJ CO ra CA CL — X c " .2 — ra •Q — cs O -S = m 3 o" 1^  -2?x>2 "E.S S-3 Q J - E B * K II CL X QJ OJ « QJ II ra a 55 ra J CA S CL x QJ L. CL * * x a OJ ra CD tS OJ Q, •c ^ ¥'5 -* 1 X) OJ ^ - L. j , II II ra x 2 J QJ CA c 11 JH o. LL. 3 CT UJ CO 71 M a v ra • QJ 2 .2 o I X ? >. CL o. 2-CL3 CO II a CO ts QJ 'u a ra 2 tS «> a ra 55 J c "C CL Appendix B. Proof Script for STARI 131 II v> o + + T3 C < n ± Vi co ^ 3 oj cr c LD O ra M t o O "ra J£ tt. ra "ra — . 3 ra c 2. " ff N U " M g ~ i O J<! + 2 OJ w N to ii -E OJ J= ? A D I  1 1 A to to jj 03 t o "5. "> CL — ra tu CL >> « CL ra ra LL II '5? C o + + CL . X QJ to t-> £ 3 K g . CA QJ CL — .CQ 2-OJ •5 •= x »> ! l QJ O o 00 I CL CO g " . II II I— CL — 1 iS X S- I i - QJ . . •—- fj co ' ii *• a n ^ •c CL •c CL CL X 2 <J QJ co c u- -a ? 8 S n — j£> 3 g- §• 2 x a . co QJ CL — CQ W § ^ 5 — T - CL _ .2? * QJ QJ U 00 ra w fN " 2 " •C QJ . » x1 i 1 . QJ CO ll *" 2 «s 11 2 x 2 . J QJ co c 5 -5 a . s H S 4> QJ a V. CL c u o — » g-a-s i- >; 2 So. — CQ § 2 * 2 - C CL « I 51 I I "5 « 3 • I y $9 ts Q> II O. •—- co ' ll ^ *J fN 1 1 2 x 2 . J QJ co c Ji JB c l IT J£ "o" 2 I £ 2 u7 E t-co to _ ra _ " = §• = .2 UJ .2 ra ra op a . o p x> C 3 o P o u t u ,29-i 39 QJ c o _ + CJ "to QJ ' - ' « m =5 >• QJ Jr II ll ~ i II A .>> 3 CL 2 CL w CO II QJ QJ QJ ra CL x QJ 2 T ^ ra 5 + oo u CL 3 c r QJ I O ra aj ^ JJ 2 ' X! -A -C 3 3 S o 2 K • o QJ a . -•c W CO g1 w QJ «-CO II CL •c CL n CN L. CL X II a 2 to T3 + — V •5 '= U S u w ra o .H Z T3 — QJ T3 £ , < t 2 — V Cu Q I QJ >i N 1 J CL .—• ra II 2 ra u I 2 & CO ^ CJ CO =5 •£ QJ L. Q_ CO cr UJ 2 - + QJ CO I - - ° ^ 2 o i CL . . CL - co — 1 II ^ QJ QJ CO x : co •a -a C 3 < < u_ cr UJ "ra M U *e QJ ^ •2 u ra c .2 o 1 3 f JJ + ct S C L < ra _ ra — U - c — o ^ § ' « : 2 ™ S ° 2 — fe QJ N 00 — II T . 2 *e QJ & 3 —' II 8 2 •c CL I CO CO J c ' C CL LL. II Vi ' o 3 o + X + a C H CL X QJ CL X QJ « QJ 1 2 ? a t o a> Q. — CQ — « § 2 DO •* l l -QJ QJ "C y 09 lo 1 ' 11 CN QJ . . •= ra 1 2 QJ CO <- u II ra 2 co o CL >. X I >^ X i U • a QJ x ? 2 2 co x 2 • S 1 QJ CO c 'rt C • — CO — c QJ O 00 -s w ra = 00 II - .1 g" t'" JZ co co CJ ^ ^ - QJ QJ j J S QJ : o oo • CO L-CL >. X 2 a . w | 2 CL .> co « CO QJ II a 2 co c o + + " ra 1 . QJ co ra u : II ra 2 co 2 J co c S'E. c r LD " u c o II A v> a 1 >> "5. a . o l - l 2 L-S 2 — 1  V QJ ' " 2 J£ co CO w + CO S 11 iii: it c r a-UJ LD O S QJ « g V — WS T3 . _ C to ^  — QJ J ^ ' O "J5 g ? o + t s QJ O c i S o ct v v \Vi X ? * ~ l Q, tO ^ O N 6- 11 5 1 2 ^ CO CO w Appendix B. Proof Script for STAR! 132 II Vi ? -. i >> 2 * •>-> 3 S-B. cO ft) CL —- CQ >2-• CO I—-i 5 2 ca 60 l l cj u o 00 CO ^ CJ • £ L-II • r - u . £ x 9 tU £ -" — ' CM I- cu c 3 .5 « * 1 II « i CN 1 1 2 x 2 . J CU CA e £ E"§ I « "S E o oo S i v / -• - — m i _ C I ji >-. x CU -it! w -X U, c n <A . • g . — , — u. CB "5 ii 8- 'i u - I "| I £ « ui in <J — _ . « N I) B O U c o c — o ™ « a s e as « fe X I — N a •§ j w CB » = oo _ •*». tu CA CB CB tS u II 2 55 2 J dT si a r°i II A 2 vi CB .2 I T J 52 .2. Cu T) CB CB tt. 3 & •» to to lO . 00 2 o •°l N . II £v) °J II X V -' *•» T ) s I < ?5 . — — ^ C Cu N t- O II ^ - 3 O Vi tu g 00 CA —« ' — ' I uT N >i N >i 1^2 «•« £ 2 C L '—' CB CA CB tS 0> 55 j c •c C L CB CB U § • TO .2 "o TJ C . C L V U c 9 II ! v> cj o J CJ I •~i 3 <A CA . . CB © II II tU 3 CA II IT V o v> Z CA C tu w T ) ca c tt. < II ^ ft dT S § I  Jl t i c *|Z o. tt. II a o « + — S3 £ u, 2 S 3 S-g. co a) CL. § 2 ? •i= - c ° -n * ^  11 •c o' > • i -"I • - » j (A ' II *" 2 C N " « x 2 - J O CA c o o CD II x> v Js O. o> CJ •£ CB O U . C L — >• UJ X> •c C L CJ CJ CB Ji2 tS [f c "cj o u s CB oo CA tt. 2 — CJ CB 00 3 — CJ* CA ttl J= O CQ + <o + y, C L X u 2 .A 12 2 u c t s—' £Q CB I ft ^ II II Q. , — " CM « -r 2 W CU CA II 2 CM " 2 x 2 U in c » O Q . O C L I ;*> X I ll CJ co u 2 l CB -S a-. 3 _ CJ O J£ 3 2 ?3 o . w 2- 1 1 w A — 3 w «J 0_ 2 V T3 ~ l r = -v C Z w L. CB CB 2 TJ T ) CO CQ C C | tS •K. < c 5 -g. I >> CS u. ^ 1 £ II TJ c < Z^Vi £. cj OJ c N O i' i Vi + - I J M 1A (A ' • TJ TJ C C < < L L 3 CT UJ II ~Z <X.2 — i « ^2 <*> CA — W JO "2 2 CJ C 5 u -2--S >lu 'I x>^j v D- -JS Vi ci CQ « .2 «• w TJ C — U O O.CL. t " j >i i >-x> c •5.0.0 . « S i = » ttT I I S! J X J * ^ Lfi L L I' II tt- V V u T f f + + _ M CQ V> CB II LL. Vi "c3 'cj' 3 C C T O Ol + + SJ J>-(si Q 1  « 0 w —1 A •g I  w ~ i A -' II II o o I A• * II 2, ll — II A cj '"13 J * CA CA _ CJ 2 2 CO CA CA CU •c o. o ~ u. cu N 2 II "> ^ B. c w 9 — .!..>» ^ g- 5" 2 >-3 ? a co to CL — CQ 3, 03 II: CJ CU u 00 •c D-E « CO • I ft> tl C L X CJ 1 3 L^  CU Wl ' 11 ' 2 C N " 2 x 2 CU CA C r; T; 'c tt. ts 2 B-11 00 3 S-B. CA cj O . — CD S c 0 CO _ 00 CU CJ u 00 CO B. J£ U. w II 2^ 'i -? cu CJ _ £ <u ts -P a 1 •—' tU "I II •" 2 X 2 J CU CA C _5 J2 'S. Appendix B. Proof Script for STARI 133 O TO CO cfl u _ £ 8. o.J« £•-0 a — to a «» w U _ cu e3 .2 ( J *A IS « to *-ct 8. a J S s-l: I ft s ?»s a A + || tu VS c 9 II V Fa (zero-H (zero $ ) Equal isert And lse, '—* II ra }$< II N . J I "ra « U . QJ ra . u £ i _>> CL CL ra ra II ra ll ra ll oo a 55 a 55 a 1 ra i ra 1 ra c CO c CO c CO pri .a pn pn 15 I I ra w CO to J c •c CL ra is _ to ra — 0 0 3-.2 S ~ ra £ S J D > > > 13 S >> N 1 ) _ o _ cu o . . ra C U QJ u CO J 5 u cs o Z •o c < I f * « J s w2 II J "*hej|"3l 00 u x: . 5 - l- -• N JZ X> toI >, CL CL I CL CL U _ u QJ L» C L >! CL CL II ra ll ra n a 55 a 55 a ra j ra j ra to c to c CO ud t j ud let QJ J= I l?a I ra a ra 55 j c •c CL OJ a. i 75. CL CL 2 CL co « u II ra 2 55 2 1 to c II I— r s 8. J C I >. x> g = to -2 E o " £ QJ — -C «=• I I C L I 15.= £ E S— II . . *e X I A II J" II 2 E 2 f -3 C CT .2 UJ ra ' P oo S := cu J D N 2 II QJ ra s *>, x g-cu CL C O 0 3 cs t-CL O "ra A U yr. II To ••= 2 •°' * I N—. tu CO ll *" 2 cs " 2 K 2 J CU to c J U J U Q_ ^ ' II I** tu CL co ra to •c CL 2 x oo__ w ra _ 3 c cr o w , .. « o. S-S CJ CL co *- a tu II II ra x 2 J CU to c JH E. CL + tu — >> ra II Ii -J II 00 II .5 > > >; II >; > II s >. >; O «> ^ £ OJ o. §•2 o > « U _ cu ed 3 §• 2 p-o-. S3 CL •—-ra — II cu CL c O + 9 fc g £ ^» | sr + — CO ;EIJ-- tu w ^ N + tu tu £ o » u + .5 N + i ? t : £ . w « J S ii S 3 c o + + o A " A 8 II 3 || g I' s II 5 C A < CL ra ^ 2 2 2 ^ co tU CO 55 j c •n CL CL + n 3 2 A II II II o CL Q . + + . E t 3 3 ^ . ° ra ra o g iT-^ ^ = >, II II 2 II 3 3 0 e o A II II > o cs rn r t CL + o + + o c CU t o c : '?« CL CL + + £ o o L. tu c — 8 2 .2 « T3 C < m to . >, CO ' 0 . < ^73 is a 'to cs II c r " UJ II II A V II . > o QJ L. N U = S CO > CL I >>• CL CL CS* T3 •o 3 ^ < g S CL g + o o S3 + N + a 3 .2 c ~ >, tu J O w S£ co II .2 U . > , — O i S « S3 II c r N - U J ~ co QJ — — cs to to CO CO m Tt to to to to QJ QJ QJ QJ Appendix B. Proof Script for STARI 134 o CN ca CA U CO to CN C L — I CN C L ~ l 9 2 — " "a. U -« C N cd CA u •— '•5 cu ca ^ II u co V) U _ u O co II 2 A T J v> o o £ c I 3 s-z I § § « s i Z 0,_A = -ill g Vi o ^ P *to CO C L -a — c o + + o C N C N ca c < vi ca « TS u U II u 5 e o 73 .2P U s 2 o .2 c-o •a —-CO Vi J"" 1 3 o. >. A c t II CQ . ca on •n •= C M O -g w « -— CL — co C i t u <o u 00 CO w a. 2 co •£ 11 * a. ' 8 to m 1 x * CU !° cs u a. 2 sir CN g tdT ca 3 CO " I * * > » CO c CS ca U u p u CO T J Ja.. >> 1 Vi T J + ca - tt. fttT cu ^ 31? C sn O C . T 3 ^ A T J + _ CQ -5'° •a y .11 >.< . — . C L CN 2 ca :>•» g w CA 1 CN T J < < CN > * ( U ^ ft) " o 2 3 11 2 w 1 S 3 ti-ll CN .'" x 2 CO CO J c •c C L •5. J II II — CS CO CO >-. >> CO CA .-£••3 3 & £ II II cn «-> CA CA • 2 co cu co co •c C L 2 2 3 3 to to — 2 CS CN CA CA o o O . CL XI X! U U T J T J co co ££ 1 1 x>x> Q . ' o . C L C L CO CO II II 2 2 CO CO CA CO u «3 £ CU [T CO CS c o TS 3 SB "J Q. CO N •- £ ca ca u u 2 2 ca ca * - •= C L . II o iv> K cu N 3 1  9 * o CN g •£"3 | | 3 11 9 ^ CU CO CO CS CS CS o o C L C L I I X X m cn CS CN o o C L CL CU C o + + o u co ca LL M 13 o 3 c3uT 2 ^ CO cu 0 c T J ° 01 II / - v to 11? o 7 = 11 °- + S + •«> C L + '5' cu M c cu CO C C N C o o 9 C L N + — L . EtZ N . ca w w II 2 M cu A 3 ca A I  cu cu _ CO CO CA CO CU CQ to CL cu c o + + o _ x> C O u 00 ca w 2 § C L x 0 CN >. "ca C T co >ls 0 . 2 C L CA ca y II co 2 to 2 J to c o 'CA CL CN cu N 5, .5 £ J 1 fa ^ Is CA CU N II 3 A f. = ca — cs CO CA >< >. CO CA C L /-< CL cu co c O CN « O-3 1 A a . . _ a . C L ca II II cn « < A -CA —. ( J "> •2 * — C M ' C O CO CA <Ztt. >. — T J « 2 ^ tu co — CN o C L >. •=1 XI CS u CA (0 o >l 2 -Xa.2 ll 3 11 CO 2 2 « -CO *^ CO CA CO cu O . — J£ £ c •c C L _ a to o 2 J w CA C 5S • § . o C L >. J = I >, Xl CN _CJ "ca U 2 CO CJ •el's i >12 "712 C L CA • ca w O 3 2 J CO c o C L — Xl I 2 CO CA 1 1 CO •"• ° - 2 to A 2 1 •B.LZ ~ CO c o 2 "3 Q o + 1  V Vi cj 2 o CO w d = s < 00 •c C L CA C CO o •£ 1  t l CO w 00 ^ II II «3 4 ) CA " C L _ O I I - J £ 2 O v> — cu 3-= A TlttT I  fi-ll S 11 cu CO Appendix B. Proof Script for STARI 135 O . V ES8. E - §• c + JJ o « c O s.2 s-E g g 3 ra a. e u r r t u C N C o ra 3 2 "5 5.— O "O o o A =5 !! e t u • O OJ J J N •• Cv II o x>^ 8 ct S M ra ? Vi CN g g C L o o 7; o c QJ ra c t Z 3 ra a co i i *— tS QJ CN CT "l CL C L OJ w w fz ra « ca CO 2 CN O C L >, XI I p - ci CN U U T3 OJ II ra Si co ra I to c u ra CN O C L XI ra U "5.2 C L CO CO QJ II ra 2 co ra .1 S i . tU QJ _tO ca "3 ^ tt. £ •3 « "3 U o 2 QJ Q 3 3 2t t f JT "IS CO ^ — , Q.2-3 2-"o "o 3 c c CN < < X T S " "ST >l§ § 3*"> CN 'tu 'to o.3it C L w w ca x w QJ A o A II 3 QJ CO ^ — I ? II £± -C L A S-3-- ~ g «• 5. o H -g . ^ — 5S - II ^ V «e t» o . . . . QJ c -S: QJ C O " o SS •c C L V te QJ CN -£ "if "S 2 S-E. to QJ C L CN ca 3 o 2 ^ •a — C L tt. II V) C L X CN • S-s-x s-QJ C L BQ CO 2 •c g-J S QJ CU QJ O 00 B ca Xi I I QJ QJ ™ to QJ O OD S 2 II CN II 2 ra 2 II E. C L co O . X X w l X QJ QJ to e QJ let JH let •n C L CO II f s | " CO r*S L- *— QJ TIT, C L — , ' £ « Y= ra •° * TS • • QJ CO II a ll tox 2 J 4) (« c N QJ to co _>>< CLCN C L to CO >* — w W CO II II II II m Q* — C N CO CO >> to to t u — Js C L - CU CU CU ^ QJ 2 2 ra to CO QJ ra CN 3 CT I C N o C L >. X I >-, XI U ^ 2 to c u — C I S 0 c 1 < QJ QJ U CO ' l CL CL ca C N CL I ? ° + II iS*e ll ct *-8 8< ra 3 C T w tu tu c o QJ Q j£ 2~ s o _ Q> * S N § • ? •S™ a u 2 ra CJ ct a o + CN C L co u ^cj + =5 + i s 82 ct n a. w v |<X^ C L C 5 C L O 3 ra i S i s LS V _ *e 3 g ^ 3 ?5 3 - < II ^ *e g QJ O IS CO C L 3 X CO — = II Vi CT, LD _ QJ to O C C L 3 is QJ A II 5 ll 3 n v Vi CL X QJ ra 3 cr , C L x : <u - , x S-QJ C L CD 3 C N II ± Si - ! s~ QJ 2 ra C O J n •n C L _ . ~ QJ 1 1 ' QJ QJ U 00 CO w II C L •c g-S QJ "fi o1 . . w QJ to II *" 2 CN " 2 x 2 w 1 tU to c 5 C L OJ to H C L X QJ S "XJ c ^ s ° a. 2. ^ rr cr « 2 u| 2 te >< 2 S-B. co tu C L CN ca 3 2^ •P g-00 ,§2 QJ u u oo ca II C L to ~ 2 ^ * s ^ ' QJ tO ' II *" U C N " 2 x 2 QJ co c 3 oo ra 2 I* J - f S ~ _ tu + •§ N , - X) i-^ E II g 2 ? r IT I .A c a o g l l i 3.ii n 3 3 II n CN m CO CO CO CO CN to / u > > ' — CO 2 < ra cj cn CO TJ QJ CO ct "O . . C L C N 2 S-S.-; •a CN -a " V £ • < => >[-N , & J ra i i ll ll "* 2 oT c o CO C L A a. o „ C N u to a QJ QJ QJ QJ •c CL Appendix B. Proof Script for STARI 136 c o u. "» CL — 8 2~ J « E § "3 r\ to — . . L. CO W 1) — II CO CJ I I U w — — CJ CJ c r UJ § 2 — C, CQ o »> tS *J w ^  c 2 . _ " 5 to ~l 2. -2 O J4. CO CO i g ^ te. go £ TJ 73 S a . c a o X > ^ U J 60 CL Si -C"- W t§ § ft-^ II N II A || JZuVi v\ CL « co c a -ll 2 co 2 •n CL 2 ra ca co to CJ « co J s CL "p" II V) 5 2 ° 3 > K CQ ts L. E CL E ex o c qual £ cu CU 1 >. 'a ju 71 2 2 ap CO — CO 1 CQ CN CO E CQ Q . CN E E 2 _3 CQ O y eo a oo ts - u C L co J '£ 2 i, a tu II CO n CL X tu ej x 2 .J tu to rz .2 .2 "EL TJ CJ 60 C -e 2 u CO a " II 2 co 2 to c 5 "El tu J «-j E O to II 2 co 3 Ti a tS » 2 .= 2 co _ CO | XI o oo A CU c o + + C L ; + „ . C J ; co ?u cu S TJ C 3 tu • 4 -V Vi ^ ; E =•? CO •a Si-ts TJ ^1 < = 1) LL 5 <; '—' _ A i i ll II _ v rrv> ~Z.a E n £ 8 >> tu w 71N A c t II II co A II ^V> e II •= A — tU «t> « - ' s i n "So. .2 w I J ^ . c c V V Vi *f> _ o o C L O CU CU C L 7 rsl N ca f-, — w II 2 TJ c < E E S " E E 2 2 cj cj w in ~ *—' to tu CO o CL :*•> JZ I >. X I CQ co y o •5 ^ tu 2 £ CO 11 II II 2 2 2 ™ to CO CJ CJ co  i s • C CL LL. cj c O 'to CL A '5. o Z TJ C (O CN CJ co 2 2 CO CO " S oj CO L . CN o To S 73 = — U CT to CO .2 £ TJ CJ a. n \V> 75. tu N & S II JS ? CN j j f 715 § 2 2 Q.Z . i CO co CQ i '—' tS u II to co 2 I CO CN 3 c r CJ I 71 CL co 2 I 5 ON CN o CL >. J= I > 1 Xl CN 73 u 2 CO u TJ u LA >ls 712 CL to ca «u II co 2 co 2 J tS c o CL >. I >. X l CN _o CO u 2 CO u TJ CJ a. 712 C L CO CO 0 II CO 2 co 2 J to c r o CL CL 3 u cj o a. o c 0 ca 1 § cj •— _1 o E CJ _1 tu c o a . CO n co c r — 73 UJ 2 t « ca ca P U 3 5 u , c r N am || 3 C c r o UJ -s TJ O ^ U £ S § o - . _ —i CL I J « 1o l < < CL ' CL O A s - l o -s - II CL © O cu i r J is CO — II CJ X ) N O II u Vi 00 . CJ eo 2 •= J = » o i ra + . § J 'I c r "1 UJ g ?x CJ II N II I ^ 2 <: cu -l 2 U-~ 2 CL x II Vi tt" ca " a s ^ x c r S u l) tu l_ I « CL >"» 2 x 72. co u g — CQ co 1= i : 5-s^ fN u. CL CD co a » J JJ j c S " i s > to "—II C O CN " 2 I X c tu CJ ^-^ N 2 ll 2 CO ,—N L_ CJ CL C X o CJ + _ •x ^  "5 to L. CO i i CL 3 ^ x c r S o u 2 Q. >1 2 x 71 to CJ CL — CQ co o 2 5O X) • C CL > X CL co CJ J C II <=- 5 5. x 2 x CJ to tz CJ U U ^ J j _CL~ a 21 cj-- || S: tu cs " 2 x 2 .J CJ to tz S S 'EL c II Appendix B. Proof Script for STARI 137 UJ -2 2 ra cs to to I— CO CA O O o. a. X i X l c o x> o oo A I! 2 2 "cs 2 U U 2 0 0 < a. a. i i _ •5. "5. §_ U o _ T3 1-= « N cr L J} D.UJ ^4 2 *• r o a. o u N CA $>= U)<: Equ: I  s $< n) $< n) i $<= 2 o cu N (zei Nol o C L X i i i X i 2 73 cs u o S oo iS ll ll JZ o ra 1 ^  CO —« tS ft, = & II II 2 2 ra ra tS to C L CJ "~I 73 >>U 7S.2 C L ra ra u £•& x > x > x ^ 2 C L C L C L C L ra ra II II 2 ra ra CA CA Js S Js i i - w V u u u u u u U u u c SS'g. CO '—s u X ) o 2 ra CO 0 0 ~ w ra = oo ra — : s § P II C L _ L. f ii s-S~i ' c i •O M M C *w w i 2 u O 0 0 w CO |_ C L • -a. 2 co CU 5 "g. U . 73 o [2" ra 55 U 1: a || " S 3 X > T 3 CL C C L < ra c A CO '—* U c o X l o Sri. >l'~l X «j II 2 to 2 _ 2 2 C L w ra to A M CO tu II ra C O J c •c C L = CJ p CD — > JO £ ~i - -§5 .2 ra £ > - ii -2 fc II — > X l _ I cu •9 >\S 22 S xi w l ra c OJ ra OJ cs 2 i . E • - JS . . h i o _ 2 II X g - i ° i U J i C CO CO 0 0 • = . . ra QJ S3 oo ra 2 J£ c -Ci E p CA |_ I CL II C L I_ ra ' B- II cu '1 2 ra ra > tS £ 2 £ 3 ra co I I 2 fe. Til «^  ? 2 U 2 ra 3 ra 13 CO 3 to 2 *"~ 2 73 ra II ra co E 2 C O j E ra J c QJ _J ts c pri let *c C L u cu II A A II II cu ra c 3 O CT + UJ + ^ cu — C co co o 73 3 + Lt + i 3 C > II] t ^ X J . II II cu c e v w = ^ ^ <X = -A •<=• &- S s o 5, to co ^ ^ ^ w CO II « u 5^  « ra CA xi w o C L I X — to tu CO tO « OJ QJ " X ! X ! O w C L , , '—> X _ | X I o o CL CL X X I I >> X I X l 73 Cj oo 2 ~ W CO •— • — o CL X I 2 x i 2 w to M C L _ 0 I n x><~> 7 i 2 C L < -•a OJ QJ X to to ra u x i t c s I & 9- i w x i II 2 ra o o O . CL >. X X I I >< >. X ) X l tu £ • £ >>x>2 C L C L 2 C L C L to QJ > + s< C II + Cj_ A I  C L + QJ C L + V 3 + 2 £ A II II ra cs II II tu QJ C O 2 2 J ra CO to c JU J J 'Q. > e ^ •-• 2 J. S c > >, « ^ A g + l i t CL + C QJ to C + 1 1 C C Q> C L + c C — A .5 C L II =•+ 'I + 3 >. c 2 dt" + II - 3 3 C ™ >;ii. = 3 = >;« ^ - IN r n + 3 C L + c o + + CL + CL + + + QJ C _ 5 w o ± o II 3 '2-_'-5 >> C QJ , * r tt ^ H II II , C N C O QJ ^ <VJ C/l bfl S g QJ o = + IS £ > u •= co ra C 3 2 — ^ I 3 X I U J to > c p + + CL + c C QJ m CA T3 ; c CN 2 tO >, to A S I < A " £ C N ra to ^ w A "> -O II -o 5 11 = < Appendix B. Proof Script for STARI 138 1 I o Q . A vi to c ? + ( J c c S 2 II ? ^ A A "| II II II II u A 3 A A ea I w /r» — o _ c c o o =5 «j S oo I I X J u || ct A . _ I « * lx>"~ •S ^ CL « CO ~ ' ' S3 UJ = II II V V V «y» vt v> ""I ""l ^ ^ j< « w « ' C o . • n to II V a. I - -5 co cj S3 < N J= II J A 2 «••» .2 fl-t Ctfj c II ov ra u. E or ra QJ C/j u. = cr 2 + o ^ *Q a S3 S co o c w t >• A .1 i s , I! Ja $ r | < | A II II JZ I >l>l X I X l cu co co co 'to "co "to — ^ O CJ CJ 2 i « n *u a| ass3 OJ 8.8. _ X> x? w w tS CO - • P X I D to ra X ) X I X T CU >l»l C L C L C L C L ra ra II II OJ cu ra ra II II 2 2 ra ra CO CO CO t o g£ V V' " C C L A I! £ 5 + A o w !i s ?r >- + A — >.xi II + £ rT J * + ^ 1/3 K •w CO ^ E i ! v > 3 ~ 2 * 7 to A < 2 ll X I X I ra J c " C C L CO t*-.. JJ CN + co II + co C L • O > , C X < J ^ o > 3 r ^ , XI 3 CN + II ~ > : — ^ tu + — -o + + in JC T ~ "2, 3 to X ra CL ^> — + - O J<! t = £ tu < :•> to . . . , 3 'C" V _ ra ^ co 3 ii >;< X II CN + C^ to II i ? t o JK: . " X " C L ^ > + T3 o < co = >^  + + CQ (SJ + * ^ r ^ CJ v £ ra A C* "I A C" 3 ,< II V 3 ra A II II o w O ^ OJ — 3 o + + 3 CT ' C I 3 I w X l is S 5 > OJ c w ? « it o ^ + + _ CO + U > ; 3 2 E II « xi : A II II X I , tu X I c ^ o tu ^ o . tu + H . i o I + i t * . 3 ra to C o II V II Vi u" o C! t O + i ^  3 _ l l ? c «x j.i ~ —I 3 « U j^l •= M ra to x) U V J o o A < -g CQ II CM Si 5 II i,29 c" w A ra II— v ™ ii ±> ~| UJ I CL. * C» to ra" w . £ x II J SJ x x> " C C L O + •± SJ • - Ira S i t s ts _ JS ^ 2 CL ra tu "5.2 « a s > ll ll x SJ Si ra ra ra I to to c ra ra 3 cr — tu i! ra "_i U J CU co ra || _U Vi x> ^ o tu >^ ft) CL e a 2 ra + ^ + XT' s- ° a y ra tz* II SJ ra O + + C L X • -tu o — ra >, — Xl - o CU _ J -c > , X Q . N C L > CS OJ II X i c tu -e CL a «. x 2 CU to c JJ o. — , CJ a u 8--S ^ tO *- w . II o + _+ 'to ? 5 O . CO J<: "^  2 xi' 1 0 . T 3 UJ cr ^ to —, OJ i >>iS S xi w 3 ll < XI + — 3 ra O + + tu S x 3 co | 3 3 » A 2 i s ll ^ 3 II w ra xi x — | ra c^  •s; = £ c II v CO 3 O + + C L + A 5 II 2S ^ II .2 c ^ >, ^ c 'S S II A o v _ X 12. 2 T ) X ) "S c c < ra u - A II <A C L - . T . cr UJ O + + O — A II II w1 3 Appendix B. Proof Script for STARI 139 u 3 •a c — c 7 3 ~ «• 6 | co c = .2 —i tu t o c c -n-• — tu I T J ca 5 ^  C L < « S: = r.x?.2 J) o « g 3 00 © T J : 3 + c S + 0 0 S oo w i i - r fi c t_> ca c 1 S II " tu tu ca J c •c CL ^ C L c s i i * — + u (A t o s r * ' C > » + s M t o ll 7Z 2 >s + ._ C L £ H c« V C L , , II <J »N + w •tl 2 ts 5 C L Q —- CS T f + CL + C tu II V 3 C O 2 t tu + ^ f i t o IT ~* tu c o + + CL I + s i II e i tu 3 S "> 2 ~ C w t U c A 'C. i->u Q .i.-w CL + II ^ y a | 8 o -j- o 2 '" i + T Sj + t o C U w p f l l + « J J -t o ca •s 73 tt. c 3-73 Jl. a 3 uT ,+ + o. .fi II _ A ca U ^ fi c Vt N II tu A C Vi O + u t o X A I £ II 9 -s-i f o •* + w + — t o 3 i + - o X C — , CU I t o « 9 v p r T J 2 '"i l I sS w CL CL.2 ca ca Z c tu w NJ II II V A *»» w» ""l "~l co t o t o j ; •g a < CS .«•< S — C A s = — ca 2 < CU T J _eo c (£ < ca — A CO l | >> ll CU c ? + c o + + w O — S o - s II fi II v 2 v < ^ I CS Vi - I t o . _ I >> I - * I A s£. •g-S || -o s ^ tu A N II II II A Vt •~l II II n II. A ttJ II II II II II t o CN m CO tO ys4 tate >. >. >> ys4 tate CO t o CO Vi CO S 2, 15 fi ca ca CO CO JJ X) XI C •c C L s. x M ca fi =^ i CL C L ca II cu 4 0 o + + CU C o + a .± § * + > •± .it? ca tu CL + t o T J 5l < c u e « fi a .S tu II ^3. o A tt "~l - 1 n 2 >>^ S 2 o . w CL Z " — Z " > ?^ 0 _ c ca I 3 X I c r ^ cu § , ° tO ^—' ( j T J T J T J C C C < < < CU E cr LU , tu o Is O <«9 .13 I « t o W C 3 < . 2 >— c J! 8 - II .O A \vt tu c o + + tu ¥? o + t o CO > _ ^ ? ca 73 c r 3 U c r ^ tu -—• M J<! 1o —. co w 11 11 i i — — c T J T J T J C C C < < < c r UJ O + + cu c O + + II A II V Vi o + + s~. tU c = t o + > J s i > « CO LT 3 3 UJ C C T . — . < tu ^ ^ g c 3 C O II • A . Vi ; T J T J T J A c c c 11 < < < II X XI tu CO co « ; X I X I J c •c C L E c— •• c r O co + to + CN tu ™ c c o o + -zz + co •— 0 0 1 = •x 3 — 2 3 U ca 0 0 CS LT' 73 CL 3 K c r tu cu C L >* X 73. CQ co , w 2 s ^ <a A r :-=;§ J C Q to CS L-C C L to 3 CO 2 o. II II g " D. c x . _ CU cu "5 tt. c r c fi O co + to + c n tu ^ ' C L x c n 00 + -s + 7<i L. CO C L 3 x c r tu tu •3 S D. x> 3 tu 2 — .•**> CO 7 - E A ~ s C L CQ ca . * — — o fi ^ ca ' C a t e i , C N I .C CS 1 1 M « >— ClL - 8 3 CB 2 71 S i -ll 1  w fe. o °r C X . - tu c n I "i-n-S „ U V 4 « ! B.5 -, A A II I' I! 1  11 w «<» V) ?! f l I I 11 A \Vi 1  2 ^ A t 72 1 < tu _ 1 c co r™ i ? § -o +• + o + + tu c o + + c tu c o + + c r UJ o + + o + + 3 i i 3, A Appendix B. Proof Script for STARI 140 co U .c a. i _>< a. -w 3 f i . ?< + a . a> _ cr \ 3 OJ c -a 5 I OJ QJ te ° • - -S 3 . 2 n QJ CO > b S f — II o 51 ca ! 2 X) c £ £ •X! « — >;g S- + i ,2, + J - ~l I « ll *~ c ^ o OJ -s c CO p op J D U o V 00 QJ A £• o CLZ co £i II To Qj ca QJ « § i t to 2 00 + is g 2 § QJ + oo + QJ 2 _ CO co i -r» •= ~ tS g II o v U ^ o QJ QJ + to g + CJ O QJ o-. 5 + C U .X « C U I ^ "—' CO A 2-^1 >ill ? |2 N •S 5" a s £•£ 8" Cu > = « JJ II II x> te. 2 "co 2 JJ- CO | CO QJ C C 5 J J 2 o- JH a A v O . co To CO V , w . II CQ V ^ X QJ CO s 5 V — Vi 2 -QT II <3 -2 f j to + 5.2 + 2 g .94 X I co QJ _ _ I 2^,-i 7J X>-* a n. . Cu w II 2 tt. 2 CO _ CO co co c uT c O ^ O 'z: ^ °s CO . , CO J2f<X .2P xi -—.3 2 e 2 u o S oo It. oo A QJ A + '~l II a. E cr 2 a. X QJ CO O 17^  co a a S. X Cf 00 QJ 2 x ci. ^ « 2. ct «•» oo QJ co 2 S £ c/l O *-QJ O 2 y QJ -c — • £ QJ' C/J <w ^1 II II sr te. QJ QJ QJ QJ O- 2 co CO CN . . 3 » o "5 CL, 2 x ooCQ co CN S - 8 •e -E 00 a. QJ -c " 2 CO CO & « ! a. a. X X QJ QJ QJ 11 2 C L tS X „ QJ CO CN I L_ > '"I •c-S z > QJ QJ II X X I V o L. — QJ 2 Nl CO •-, 2^ S< I L - + C L ra ra — w 4) — -o _ Q» 2 1 — 2 o o CL CL >, >, X X I I >, >. X X CO CO CO O O O jT O . CL CL 2 >,>,>, 2 >->>,>, to X ) X i X ) —i X l X l XI x> CO C L + QJ + II A II II — Q) QJ a> CA 4) - I CN X l A II II c? II v QJ Vi - 2 - | s » £ tS .2 x i co C OO o < « S o l|s o « 'J Q. 00 A & II *! o C L + QJ QJ c c ? ? + + Cfl C/j s — C/j «.£ •3 >» 3" iS QJ 3 - ' J c QJ CO co > £ CT." ' ~ l J CO w e > QJ — C C u S S U QJ i c .2 - 8 « CL c 00 C L . _ : ^ J i l l QJ OJ QJ A II II A II X) II 3 < J a-CO [JJ 243 .2 "° ra QJ C •§ 2 IT! C 3 .5. £ 2 — CO II p O ca QJ u te u e CO X l Q.2 =° QJ S > • - s> x X •c CL 2<X O l QJ ^ co •—-a II CL. ^ i ' — ^ X > 3 C L P « 3 II CL V -Vi ^ - | C L ^ CL co QJ CO CO £ X l X i •c CL CN + + >-Q UJ H Z UJ UJ Cu S H O z X l X l I «. ^ CL Q> X X I QJ 3 P + + X X P + + QJ S o + + CO . . ' — QJ ™ QJ Q Q 3 L= II CN - S - I CO L. CN X l •>/ ra 42- II 5 0 — CO w O X ^ co 2 — Q > "QJ Q XJ x i X X ) 2 ""i co 0 o — QJ O X CL CL-2 ll 2 S ' l . 2 '"O co C L . O II A Vi 3 P + + II V Vi 3 O + + QJ 3 P + + QJ 3 O QJ >; 3 d 9 I c „ O w + ^ + XI p  + II ? i + o QJ —I + 5 .± 2 42- i + W + CO QJ CO w §3 - 2 + o .± D I W Appendix B. Proof Script for STARI 141 u u u? Cu I "5. o N : II p A c •2-1 II "to V J < CA ^ « £ 3 9 -*uT o 2 u- In ra P N to 8 II — ra J II 8 3 ra CA cu w - x i i ^ x> ^ cu ra •n Cu U u a l ? as u o tu p z •o c < I — u « 5 =»! = ? C T } C L U J tu c u ^ 5 ra tu o r § v X>"~l "~i » ra" w 1 11 " c =J .2 II V £ "ra A Sb ii S _r ra o I f |1 II 2 f cn 2 X l XI CO J c "C Cu ra c p •a u 60 2 x : CA XI L . O Cu _g >,« i.x1 to — § ~~ I • i g" a 2 > » x > O."Q. A O ra cu 11 11 -s cu -5 ra, x 2 . J U M C 1 2 a — U . 2 ra a s U O" 2 UJ ra <—> A u S II =6 § H cj ,—, Cu v> c O X> «> II cu ? !z - e | i >^ ^ + A ? I ? + c Cu O g . Cu 7 ra £• w c ra A >> 3 _ O x>tr E s 5. + o j5 u 2 2 ra CA cu 2 =J E - C 3 S I f 8" 2 0 3 ra x> X l 'a . J * Cu CA Cu ' 22 -E cu II V— Cu X u X l X l ra "C Cu Cu + •c cu I 71 © II + 2 A II 2 e 2 S 3 © 2 'co 2 ~% o 7j j i i Q Q H ll 2 S- Tu "CA 2 >,T3 Cu — r i r i * o " 3 >* CO V 3 CU E E -o CL >> X I >-> x , — cu '5.-2 II .2 - v S 5 ra •£ | I 8.£ 3 >*x> T •= -d A | ra II >» > II X i £ L. x X 3 CL E H ra 3 C -UJ .—, J4 II — *9 C L W II ra _ tS co — cr 3 UJ P ^ X i / - ^ o u aS § eo + T + A cu II C II O + + oo 2 -^^  CA A a II X> II 1^ X i _ Ci •a 2 a i s ra > - ts 2 X i X l c S — o / i T co w C L 3 « X t T 00 cu 2 x c i . II u 2 c t CU CA §-E + w + p 3 ° o so + u + ra • ~ l C L II II ZZ CU CA *— I "C e * 11 it CN CU 3 - i f -o •C" °w CL X> C L O ll u  ct u 2 2-t "C CD cu cu -c o 2 ra CA — I cs a te 2 C L rt X . ' ? j gs-s-s n o> o> c l ^ ^ ^ ^ ^ ^ " C N II £ <- ^ cU -2 CL CL -S ra, X X 2 w1 CU CU CA c cu-S II V . i s-S T ; X I LH " I i 22 & 2 £ 2 — ra to •SI* o V g •a.S-8 — ^ " e 2 1t< * t - g ft — 3 11 ra x : — cu tu -o ~o , C N -La u? II etc T § «-e "O o X i C L CO 3 CO CO CO CO I S cu CL CL CL CL 3 CO i i II CU TJ c 3 O •S >-x •> -2 C L I ra D . >> > 3 XI o im X l X i "C C L •O C 3 O XI cu S.2 CL CA 3 3 2 O X i C L X l ts « D . u II £ a-S 2 J CA C 2'S. C L II V cu CO ™ "u U T3 2 i <s r_; .2 C u . •D cu . • £ ft-x^ji." CL 'ra' C L X : co cu — ' -o — v V Cu J ra ra l a < CO •— (O — CO t o t o 8. cu X X) I CO X X I ra l Cu + 2 . 3 75 >» •« ll + V . C 3 I 2 J C . CA A =• II | II >> V 3 CO u II "C Cu Appendix B. Proof Script for STARI 142 o oo »> BO « _ _ U 2 &« CU 3 60 3 « c r ^ c r cu UJ A UJ CU II w 0 ) M 2 ' — ' co A S, 11 >' CJ x> D cj ea 3 > ts a X ) x> ca J c •c C L E H cr /-> ca B. 2. TT c r I <U i L- >, CL-TT x S-CU C L i CQ ^ cu _ L.-CQ II ° , « s-II II cu £ -• - cu " £ 2 t o . t J 9 — o CN 11 fc-i x 2 CU CO u. c r S CL S — 5> CN CN o s is. P X e o C Q co O \2 2 — g 2 CU CU CU CU CN S Q.2 - to ~ > I 2 2 £ •c X) 9 ? 2 S II £ 2 -S « J c S I . CQ CL CU ca co T" ll x x S J 2 s "oo • a i a w w 2 2 ca 5. — X II "7 v r * CO + CU CO f TJ X I II « 3 i i 2 2 9 73 2 • a — CO • a c 3 O X I l _ « 9 3 S i O X I C L X I to « 8. CJ II £ 2 J co c U S 2 A 3 || : T J ^ 2 1? CL £S i .2 >»TJ 71 + C L " U c o cu — 5 Ji cu o cu c o —• 2 — CO CO CO — E N u -S M CO — s i cu . _ cj J= | i l l 1 1 n v 1 1 m fi CU to TJ — ! * > X l X ) >!> e « X I X I CO .1 •c C L Q II • I —. —1" =• e ? w <u S -5 II ca j u 2 CN ^ ea to i i u >* — CJ CU 73 "S CN k. C CO a. <j* >< I ^ CO I _ I > _ > cu C L cu C L ' t o 'v\ * as II II — CN CO CO ' >> J CO CO X I D U CO CO > to a x X • ca I ' C a . J n. « C L > ca cu II £ 2 H 2 J «> c — o — CO i j t; 3 * to .2 =5 £ 2 S ou, 8. >. f =• >l II 2 CO o — CJ cu N "O — + cu CO II II II II — CN CO CO >> >> CO CO CO CO CO CO tu U CU CU cu cu c = o o . _ ' o a. i § 2 »! CO CU CL tu t i ca ca ji . r to D -Q - ^ + -I ^ ' o £ s - c C cu tu co to C = '5. •a c < C cn >; co — ll II A V cu to J £ T J 3 CO — . •It- CO A >> II "> II cn" I II tu 3 ea c 2 < 3 co cr UJ 2^-c o CO CJ .E « ^.u o u •>•* cj —I II "-Tf 4J — — 2 "co "OJ a = 2 -S > ^ X i • S X I tu CO co g X I X I - i a-o ^ S-. C L CN CO II CU J C •c C L >> X J C x> I ca >. > e o LH X l X ) c •c C L _ fi .£P jo .S> To ^  2 2 U co cu "S cu O 3 60 3 00 tS c r ^ c r w u UJ A UJ A ~ ^ II ™ II 73 •* II * II .... v ea — fi ca to tu c o 2 co CO I > 2 X I — o fi ca S > tS o X I X I co E E -cr tu c — ^-c o _ . . "XI C L 3 5, x c r oo tu tu X I C L >> o x T j , « ^ c t ooCQ co co tu CN •E -c B. — * X S .L- tU ° •—• || Si II II ( s II c r fc te fi ii C L C L ^ tu co cr CN O -LT w C L X i O 3 cr cu I 71 S b O Q 3 CO tu € -c O tu o CO C L tu -c CN 2 B . 2 X <« « ts CN rzx >' i u 2 x 2 S II £ 2-8 to c S"E. r . TO V) u-u TJ tu i» CL I _>> C L C L ea 3 cr UJ zi cu C L ' C L : . . X X I tu CO X x> J i ; 2 Appendix B. Proof Script for STARI 143 o + + T J + u e - o V*' l — w | O . u - . ca i"i ct ra ra o ~ T J — cu act C3 5 , Z c tt cu K £ .E *-?CN ci CO 60 S >> gj tfl Ul C o + ft II c o II A Vi CU tu S e e r o o S ! • I ' tu « II « V - tt. ty» — tu 5 c =_ o -^ttT CO >  tt to 5 1.E < CN S II Spy c ca < C — A CO II t/1 I II II V V Vi Vi 22CO CO T J T J c c < < > v -—* tu cu c c o o II II A A — Vi Vi S . .—> I I a . -X .M CO eo eo ~* < c r 3 ^ " — i i . C L + tt V CO II V Vi 2 CU « 2 to n T J . V CN «o = CL w CJ + "ca 1o o tt T ) • u 2 JD — CNto .22 cj » » c tu Si o &•£ II o 9 A •51J >> 00 to If « ~ a >C to t/i tyi . S ~ J J W . M UJ A = ~ ll 2 II <2 =5-S = ca L< o o i i CJ CJ oo " n •3 CTCQ cu T J cj . . " — "J? -= °<« tu ca c — II •3* 1 I  a. ^ x> c C L O C L I ea A II O . V l*» ^ - | C L co L i - » 2 ca — x> II •S 2 I 2 C to a 5 . . . X I y-i. X ) tu ea co a ' X I X I . . . tu 2 « 2 co o tu o S & S .£J » l» X I £ cu c ? + II V + + u - , 2 ca « a. a -1 . j "to ^ C L CO CU T J C < 'a? c o II A Vi c _ ? 2 o 1.1 2 i '—* J_ to tU . i — § J~ + « 2 . ± ^ . 2 .1 'to c C L a > . • = 2 < B ca tu ca oo to X I C L O ^ 8 5 CO •—' •— - to II i= 3- is II o g-a II -E £; a s 5 g-z ca zi I w J 2 " - " C L . •c C L A II II c •c CL 3 C T _ LU X ~\ ea 2 II ca Vi Q- I a ^ S- + •2. + >1I' ca *^ --r- _ T J X i X i X i X . 2 2 2 — CO " o C L JZ I »s X l II tu T J . II — tu STI -— CJ co tu — c B . 2 T J + T J C -Z." < cu I c S I ft. • — S « « & » -— £ « « O 3 W u UJ Jl ta £ ~ cu U C T J c ca | ° « « •a .E o. £ r II . J • CO ! C L . ! A 2 " I || CO CJ 3 •£ ca X i a . 2 ra tu ea > X l X I — ca . 2 it ca ca U 3 ca " cu cu T! ca X? C L CU CB o I _ ^1 C L ~Z ca C > p fj cj > ^ X c tu ca 3. ea > w to U X i X i C L ~ X • * a «u 2 O — ea _ o C L co !U J - 0 X a. a CL > ea tu II £ s-8 -o CJ E c ct - o | tu + o.(2 S t1-— II cu I 1 ° ft « 42- A 11 3 x>8 v 5 I I O Vi <v _ ^ >» O _ ^ X l 7 S L O o n C L O CI L Z* C L 7 N CJ « -ca £l N to II cu t-X I X CL c •c CL i — i U to -y cn 2 fl-u _ *- «i «a •2 S 3 "8 s >' £ 8LL. I >> X >>x: xi o. I « C L > CB c2- CJ II £ 2 "S 2 J •o S 5 'E. ?3 ^ CO CU T J L II 2- v T J to 3 + 5 ^ 8 . c. + - f 2 i ^ t t + co co - c: ° - ~ - E + i — _ j < ^ - v > ; 2 M >> • II ^ V w to 3 V 3 CB CB II II — CN CO CO >. >. eo co Appendix B. Proof Script for STARI 144 73 3 C T — U J CJ 75 U II CJ V) 0 f =5 o It >U o. w CO i i II u CO tS « <o — 73 — c tt. 3 .2 — .2 to 3 CO ap cr op 15 ^  3 o o " ll «. 3v> II o + W ' CO A 3 II J X I - X l X ) X l CO " C C L CU 8" 3 CO 2 ^j. 2 CO QJ CO o. X cu jc cn CU CN li Vi il (rh rewrit expi *S § rewrit — 1 on 03 a. CM + cu "C replai to "C i JC CO replai ew II II II CN II neq xpr xpr tate cu cu CO JJ JJ JJ CL X cu CN — ^ N i o § ' | — C L FT-O X CL tl CU C L &CQ «. o c — CL 2 C L o x "C "C 73.S; CO CO •5. J ll CN C L C L X X cu cu QJ U cr U | 73. C L co <^  2 a.S x M «> tS •2 ~ Is > i ° as tu > = SJ II X i 2 73, 2 —' co c c JC 2 « Tu 2 " | E. — X II t y w 2 + 73 CO " ^ S Ji 1 = 2 3 II i v s 2 ii 73 2 •o „ 5 > «J O X 1- CU QJ "Zm a 2 o -="" co « J is ,11 X I •a-8 JJ . CO • U - II s . 2 II 2 "S 5=5 2 0. : CL ' C L " — 2 — CO CO CO . _ CJ X I ** x> 2 I X J >, ll &J5 A X i X i I CO 2 «J — 2 =• 3 II ll « 2 2 73 S ' i . JJ CO ~ - CU J 3 " C C L CN + CO ! • » CO 1 1 % > "O ^ - + + + 3 JC CO CO CO * ^ 5? S. T J JC + < >> CU ^ 3 _ CQ w "co V 3 ' > 2 £ A CL + -—, *s + t: _ «> 3 co 2 .2 + 2 CO CO *". 3 2 ^ CN + JC t o i2 73 CN Q + , + 4« — tt + CO CO II C L A II — ^ + CN jc zi CO w U t l CN + — i Jet r: " 8 2 .5 73 II Q ~ II JC w co 3S cu C T J -— co CO > ^ t o p . r -+ JC CL + II V — CN c n i r i vo X o II 3 2 O I X I •S QJ CO co > ^ ts s> X X o + + C L x • -cu 2 — CO o + oo ~ tt cu QJ 3 o + „ . ± l l J< o 2, + 2 - ± QJ JC CO C L I CL C L co QJ II 5 v O vi A v> "QJ 3 ? . +: 3 -c> X o 8 QJ QJ i i J * >.x Q. * C L > co cu II X i 2-S _ i x 2 J C QJ co cz E. 2 2 D . ? ** I t o II jc ._ v co co -' C L co A I 2 T I' ~ i a A 5=5 j^Vi ii 8. CL S O I C L ?5 QJ ! CO .2 3 • ^ • a o — QJ 11 3 O + + II V t o ' — r n - a ll II a a . A v 1 1^ ^ — . "7: CL- . 1 I w . l l II a. g-J J A co 2 2 w II tu QJ' W t o CO QJ 2 55 S t-73 3 *™ St 2 <X J ? C L ^ 3 tt. 3 O _ O 'XI CO 'ZZ co 3 ca _op crop 3 ^ X 2 JC £ QJ V QJ 00^ 00 A cu A II 3 II II O II x> D QJ CO Q L ^ W 2 CO ^ — tS II V J — 2 co X i X I •n CL S t-cr QJ 3 c s ~ O CO "Xi C L 3 co x cr 00 QJ QJ X C L >> O X Q , «5 2 ct 00 CQ co I ? + CO '"I 71 JC QJ II II o.._ CO 11 it CN " QJ QJ CO a> QJ QJ QJ S x 2: CO CN 3 5 — CL S. x 00 QJ CN I = >-•8 ° -O X MCQ «, ^ t o CU CN co tu ^ r - — L . ^ S " C §s CQ o. tu u 2 CO co 71 .1 CN S fe-2 2 ~ i 1 JJ 2 xj " CN " X £. tE. ^ «. x x 2 .J QJ QJ CO c 2 2 2 3 . W LL. 2 — CO CO O 3 £ i l > i QJ 71 XJ 2- 11 co y CO 2 co 2 - u Si CO >% ^— 73 "5. o 2 ra 2 a. 7 co > 11 1  2 73 cu tS •a _ cu x> x> CO Appendix B. Proof Script for STARI 145 cu c 9 c •8 S. 2 x OJ u to JZ •-i r a — =i c c r — tu CJ I . . ra 2 cl 8- 2 t - ra w II M ra a . 2 £ S" i3 J tu to c a C N J J "ra U u ra cj T J t u A I  II "> 6"» CN a. _ i o x> + c-+ & g N ? a. c e- ° + .2 + cu + em c « S i ra tu c o + .—, + '—. o ra .—. l o tu c C N o s + o + one) tu igal one) stal etobl + "iu expr 59 on C N to • >, J = s ."ZZ a. a II L. CL x tu "5.2 CL t o II ra Cj CL CU ^ C •s? fl + s • s + CL. C N '—' 2 - + CO •. U o" 2 = ra P cu + K S >ls O..S CL ^ • CO ^ CN .11 CL ~~I a x> S : s 2 1 tt cu t u t o w C ra '>, " S i • * II M V .2 ~ *to J-5 t u t u x j | I i >> ;r + x : 2 3 | co ra ^ 2 >• 2 S i on A I CL 2 c c j-5 0 —. 1 tu I? o • - tu w O CU I, | -I", vi „ "I v . J*ra "to 5 of 5 ? 2 ? . + ? CO T J C « < CU ^ - N B 2 ? s S II y a -S si x i + + J C tU O t o c ? s ± T (fl T •±. .5 " ~ i t o *—- *—-3 *lo 2 w > . J , ' 2 o CL X l T ll s u -V ra J d to CO w ~- tu — 1 w CJ J c •c CL o II c V o vi to o J C N g g . 2 + 5 co + + v o l '55 S S i f ? o t + t u o . + I + ' cu XJ •= o & + ^ £ l w » » 5 n S i < "S » X to t5 J2. - i S - i A u CL I c II V ?g ° o II + A + <y> tu eo I S O CL + C> + ra tu . o C~ + T J II - v II ^ i x il CL —,S S - ra S = — 2 n. *' I _ X> co CL to CL C ra c II cu § • II UJ A T J ! _ ? ^ I II V co i 2 + s + tu c o + + o + + to co O. _ to w tu —' + Q C i <u + » 2 J C + CO 2. ± -2 - c ll tu 5 ll g t a ? J g + lo o tu ^ + g -5 .± + S I I S i ^ « ~ to CU 3! U O .1: — J C II ^ tu aj ga i c c 2 y = >, -= 2 S i -— CN to CO >. >, CO CO c ->. '5. II II II tr> VO CO co to >1 >^  >. tO CO CO ^ < tu a E O u 2 t u T + •3 T! I J C co i - . _ co Q- co O . I C L ^ -CL + " ^ « CL " C •=T C cu I tU co > . t o C •5..E >. CL >>5i A 40 S i - .1. T J c < I 5 5 = II CU T J j o c ra < 1? 2. <" c r w '"+ ll - V J C ' - I CO J C CU T J !< S i o II i j ^ V N ra A A "~| II J C ll 42. 11 V c o II V T J ' < C N T J . C cn < co >. co O . *-A tu II N II II A Vi A I! cu 55 + g + O .1 0l> I ra 3 t l 2 TT g - 3 1 •<» < XI to ^ ^. >> -r- ~ co O I . L. ^ I I J C + tu •to 2 to CO ^-^ CL C + cu ? ? •« A S j V CN 3 . | £ ra co C N + C N CO Co •c CL ra < « II ra 2 tv5 2 J to c 2-g. cr UJ m o 2 $ f> Vi T J I CU J C et 1  > U ~ 2 a c 2 2 CL. ca co C N cu J J CO ca CO ateC " " | ual F CJ J C cr 2 CO UJ CO cu II .—. C N ct i5 C CU X ? 3 D. O CL I S c u .2 3 — O ra CN || 2 V QJ * ^ 5 11 ^ Vi T J CO ' i f > . CO CL 3-CL PT J i l l CN C? CL V • s"i C L J C ' I < L O g ° O Z II < V ty» I 0 A J C 0 0 J 3 •c CL II J C CL Appendix B. Proof Script for STARI 146 tu c o + + tu c o c o + + II u = - 5 2 tu + — tu . o c .+ C O I I + Xl + to ca tu <u • • to ?=| + tu >; - I c 5 = 5 •a A II II c II V Vi o + •o c < II A o + + "Z o.rj I *j X^ * ca ^ g..y ts ca eu l a * s2.1T t: c tu a. + .5, >l'~l "co H V N II X A tu ~ § tu + ?-5 •a c < •0 V — o to ^ C L "1 £ s 5ft fti o + + 2 tu c ca cu c CJ o •a + . ± ' " l "I S to ' ^ CJ to — to C L ca U = tt x^2 o C L to to C L c e ca . :— II II II A V Vi Vi • ~ l ~ l . J u t J < CO CO > CU w . 11 Ss A .= • ."_ '>.; 0 . ^ -> A II II II c o + + cu u •± "5- , + 2 _ m *CJ •C 2 - a <L> "S w Z> - a - . •= w p : >; II fc -II - N | 2 2 ca to 2 £ 2 ™ CO CO — tt o o C L C L J= X I I >-> Xt XI U U u tu • 0 - a 2 2 CL. O . o. &. 5 C L Q . c n ea eo y II II ca 2 B ir> 2 2 ' CO CO C j u j u W. C L + C + B 2 CO CO .2 00 II — .—. CO "7" 'to + tu x o tu >. .1^ >, >n x i II B ca tu c o + + B$ 2 > co > » 00 co ca C cu c tu II J.H '>. co .1 > co 8.-1 x; co o > II tS w tu .2 x> CJ u c 73 t: tu « tu to es to .= g\£ A J A II -=> II M ~ I I T3 C < "8 XI A II II V Vi CO ^ * » ^ C . 1  A C L + J C L « — I 0 3 £i CL C3 « .2 — tu L. a. a. 11 2 c II ^ ty» B ft CO II .5 11 73 f o o « + .£ + >, J l t o £ tu II tu I . £ J * > , w II — II c o + s tu S 5 u ? c + o + + ^ o B t = 1 . = J<: * . o + + V C i 2 c 1? J 2 12 S + » e » t ? §8 + + c I + 5 * CN + a «-ss-ji 2 — ca + CO o a . £5 cu 2 2 ca co to cu ea C L C L II ^ cu CN X U s cn XI II tu to -c 00 II 'to ! C L . ! o + + c II V + 2 tu + C + w t L * + • i ^ - i 1 •—- j^ i i ^ co C L A II II O + + tu c o + ^ _+ "5? i o c ^ o _ t 2 tu ea O c+ 2 + to ea LU z) cr LU I ft.i i £ to II .S vi T 3 ~ C < — « c 2 3 2 ca *co 1 .= .2 cu w c c3 ~ " . . 75 9 U 3 + I • , ca . « 73. ; + & II tu =SuT'±, '£|73| >>t> i ; c t - K 0 ca Q . Z CO + ^ ~ 2~ ea to 1^  '—' CO II — C o « • .2? c 2 2 « + 00 + § 8 + CO + tu I ea , * 73' tu CU c o + ca cu ca ? co 2P + tS 2 o x o + <u Oil + _ ^ '~\ c c r t o R" 2 2 w tU ^ ± * ^ C L 2 CO CO tS cu co X? II L— C L x CU II CO 2 cyj tu c o + + ? T o v "~ II ^ •S A cu co vi c U ^ o O CU + eo = + cj p 0 l l ? a. g + C L - X c« Cb> I ^ raj*. ^ wi A i - A A —111 ^ 2? " g &S ? 7 !! 11 C L A V —IV) Vi .. .. 71J J 2 2 C L co to eo to ea tS tu II to CU CO on I •c CL tu . _ c o f t I = + ? CN + C cu <u « II TC A — + cj • X JZ w O C C L CJ >x . i ^ i >. T t J = II tu . .75 Jl 2 = ^ ; 2 u ? — o 0 0 -u + co c + 'io O " ~ | 1011 ti > .5 00 >• 1  w , c tu •o • A II II II B £ II Appendix B. Proof Script for STARI 147 XI 0 cu eo A II II 1 g X X T J C 3 o XI O i C L 3 c r — C J U 7? T J Cu o- y I A x>^~. " C L tB C L — ca tu w T 3 fi a . fi ^5 .. ; w cu to i i CO £! I 2 I 2 C to c to EL JH a . .2 co J c •c a . o T J fi 2 ea co co tu cr UJ i i LU a ea ca co ea to — o e UJ c 0 ^ , 0 — J ^ "S V — Vi CO ea tu a II A CL. I oo V oo •— w •— X) - - . X I 2 c 2 " o " a> + ^ 0 0 + ^ u u 0 0 C L 2- fi 2 tu fi 2 ea co to cu co tv5 tu eo « tu ~ Jl? CM . - S CO o •X CL St. U CO O „ + ItT + Ti c ° o « ¥ tu + ca • ~ l a . . * cu tu t N •E -r C L 5 tu " II II zt I L . tU x,1 ii w ej 11 17 5. 2 tu tu tu tu C L X cu CN c ^ -o -uT C L X I C L — O X g . t i CU CL 0 0 CQ « . co cu •E -c r * <5.s-CN a . CO t/j a . i i cu . . cu » s p to tu II " II fi CN 2 x x' 2 .J 2 tu tu co co j£ JH JH o. .fi o . _ « £ r U ~ fi A eo ii ; .2 ll . T J — . tU ' L- ca O . Si . I .2 • >> T J a . + " co 2 • w L3, _ CU . C L 3 71A ! • & co ll tu o C L J= 2 x •» •n C L c r -UJ iff" II — <y» 2 -S-ca c U o tu + ™ t .2 c T J O co ^ ll tu o ^ o ' & w ca ca op op 3 <-*xi - «» o tu a u § o .£9 + ,29 A a> A II c II II O ll + "~l to fi 2 tu 2 CO CO CO CU CO t55 S-cr tu c It -2 CL2? oo CQ co tu co + — + o c ° 0 » + u 1 tu + _ea ' " I CL K CU fi CN • C OL S x C L ~ S tu1 CO — I -c X i > II II II 5-3 U <U U CJ c cu 2 i i x Si — • . >. e; O C n — C L 3 epix a* oo tu tu L - . ' C L X tu CN o — C L X i C L O x I >-. •5. C L CO CU •e-c r s 8 1 CQ a . tu - c o 2 ea co n . -I S 2 . — tU co II *• fi 11 ^ O. a . X X cu cu II fi t/> CN " 2 CL I "a. C L I <L> CU f-i CU Appendix B. Proof Script for STARI B.2 Proof Script for the FIFO Transition Appendix B. Proof Script for STARI 149 X I x . v V vt £• _ co — co O - x «>•» O t! * « 2 -73 ^ J = - 0 ™ « « « £ 73 73 « — 3 = 3-§ S"g-f g-gi g 3 — _ ^ U (J u X ) A II II II V Vi •a c < H i 1 II X I '5' •5 2 c + o c -— •8 °-— II "« II + ca c JS 2 -•3 3 w * u fN . _ O = II = ~ A 2 3 TJ _ — _ V V o ui o - o a. o-c: o.ds o o u Q c o ~ J" 2 II ; ~ T j ^ S 2 S + J£ II to' I— OJ • — N = — <N X X - 2 73 , 3 7 j ^ S = y I, - vi g A = p J> X X CN D. O 8 I TJ c < >>55 5 = £ i f ? *^  a w o » 73 • g § g . W > > II W W ) A II V TJ C < CO O ts u. C II II 11 11 11 >—' . t - s - " ' II II II II ro >n vo x x ; x x t j o o o II X 5 U CJ . - ca S «VJ w tU D- >. M + X S • ^ g . i C O >; cu + w 2 + M . . 5 e " > • " - : "o v 53 N .XJS = •-- w co ^ c a 1 "i ° | - | u cu 5-; tu tu c g ? J £ ca to •9 = ~ cu Cu c r + 2 - o 2 3 ? CU X l T-' w N 55 •  S ' TJ C < 3 _ CO £ > TJ + 2 + xl.. g A - 5 . f I!.+ 2 •§ g + V II II 2 M S X l 3 t o ~. - c ' S t - v. . 5 3 5 I J-'-1 + >> d LL 3 3 3 — ^ c Q CJ to tu CO Z 3 .3 < 3 >> > 3" >. CO ~t 3* CO >. -> >' • A II O 3 LL. E — < S E— tS co A A g Cu 2 3 TJ CJ CJ —• —- CO § § = - « o . 2 o o = c . 3 > u. .—' X l . E m m m — x x x co i z i z iz: ~ . 3 3 3 2 o X I — CO t o 'C c co P cu CO w 2 O — CN I 3 o CJ II II c j 00 £ cu 2 0 3 C N O CU P. _S - Q . ? — CO ^ v JO II II 3 2 S « « " * If Ii II 11" " a i — N . a T ! E CU w -?'."'r II 1 rai as S w C II tu CO II II II Je! !_ 3 t U t U C U t U c U C U t U t U v C J U U U C I U U U . 5 2 O .T J ~ ^ ^ Cu tu CO > tu X l ^ CO >> S X ) CO JJ II o > X I II A co 1 H'. I -* - •• x Jrr X CO fi n F co e 3 3 E „ Appendix B. Proof Script for STARI 150 eo c A II II x i 3 XI c o C L + ^ \ tu c o + + c 3 CO 3 II Vi "tu e o i + c tu II tu e ^ o S •-=>! u B ? + c tu c o XL II tu T C i ^ 9 '•=> w tU e >> Jl S r- tu u -iS J « 2 i£ is . — . CJ § ? = > 2 h C L + C _ O w > CJ t i >, 9 S2 + C cu CO sir- 2* 6-^ocrr c 1 ? ^ ll TJ c 3 C T tU A II TJ c < < TJ cu 3-5 •o I c <"g CO - < 2 E t cu to < C L JZ Is 73 « 8 CO '—- 3 ate; ca w ate; CQ c_ 1 CO CO O = UII CU m:f = UII II 0 Stat 12 JS 2 _ i 73 CO c " 0 ud 5: ju ud I TJ . •2 "o E " .2 o • 1 3 § i TQD 2 CL >l a. a. CD ^ to — 2 itr o ^ E 73 <u 3 — , ° 3 J * S J C « • II Cu H 11 * w — eo •5 11 U J C J C • co t o 1.2 5. >. 1 •c C L e/5 •c CL i i C L + — . c — . 3 CO > , 3 " O -II LL) c n « w cr LL] c _, 11 < cu to C >. A II II i f TJ X> CO — O + tu tu to CO c c C Vi II Vi _ l u c is •-, 3 J J = w V TJ CO g 2 a. c C L '"" o LL, II TJ — II II C L II Z^vi tu . + J + sis o LL, 3 CO 15, eo o *"* L. ^ tu ™> N II C <J  E S cu -r-ns TJ X l E i t S S 3 to tu . c . o c ~ O C 4- u TJ c < C L + 1 + —. Vi j. M II v > 11 Vi > II « 9 _ c " o t " I c I ?.-=*•>=> ^ o I t B 1  x i X l X I L . Cta. = -I ~ l - XI X ^ s^ cr cj o c I XI 3 — cr TJ LU O H 3^ II co ty? , tu T i V, + «• + 3 • — o is 1 X III '00 w 3 ^ I "V — 3 Z 2 Appendix B. Proof Script for STARI 151 n Vl o + + CO C u < V ^ CO c £ 11 •Vs.-B . ^ 2 Q . 2 Cu co co w II CO 2 do CO J tS c S'E. II vt /o c o t a «•> LL. II — cu o eo o ^ CQ co cn b. O . X u tu i 3 <i2 § co c u '—' Cu — CO o c CO II v> o 8 u Cu p CO CU o _ s " « — — 1 tU CO 'to "eo C < tU-tU ~ co eg II II 2 n II to ck II CO Cu o 55 ne o to he u co X CO w l o CO —1 o eo 1 CU to c c ts c ci ts B tu tu ud e3 let ud let ud u CO 3 II s cu N CO O CO u p tu CL. £ c u S S « <D H „ -CO . - a 5 5 J 2 . J © to tu c •c Cu o Cu >•» SO • • ° o II CO a 55 u. 3 .2" II O •o c < tu c o U ll o A CO Vi .2 -=> 2 a. I "5. c u CO J c •c c u u to CO tt. 2 v to IT ™ -C ( I -o to to CU a . 2 Cu CO eo w II CO 2 co ra J to c CO X o 3 O" tu I _>> Cu Cu O 0 0 " « tu B o cu CQ to oo to tU CO CJ O CO JC *— rite. te; har te; S "H. •t u E 2 — p eo a CO CO O tt. || A " - ' -^ c u II CO II 2 B do B CO II x s 1 to _j © tu to 6 CO E r — r Cu to CJ > o E tu Ce-ll B to C/l c r LU « 2 3 o - . z a r 1" C U r - 2-II ra 2 1 i CJ 2 to 2 2 -55 Cu ^ 2 a. 2 CU to ca w II to . 2 co cq I CJ T 3 co tu CO OO CJ c" 8 xl 2 « 2 2 tt. Jk) CO II -> tu T " S • - . 2 co A 2 J ll o eo X> X3 CO •° 5 E < b" « S B o II to j 2 2 5 5 o co I <N r .1 a CO tt. 3 cr . LU II Vi s CJ U tu TD 2 • 2 c t t Z E co u A o 55 2 - co c o Cu I 2 >» CA • ° u II CO 2 55 2 J co C u tu cr II Vi • D E < 1u E o CO Vi .a -o O 1— c« a. i — — — •= CJ CO Cu Cu CO II CU CO J c •n Cu c u J Cu i co u II eo 2 co •c Cu o CM tu CO Cu X CU CO u-C (1 = •2 J2 S G O 3 'B 1 M l 5 tu CD w t/l n> "~ CO tt. II II L ^ Cu & s c 5 s? 2 tu co CJ II to 2 55 •c c u II Vi c o + + co eo U S II CO 2 55 CO I E -t— -A co T ' S — J= + o E Cu , > — C J • = 1 2 cu II 2 55 Appendix B. Proof Script for STARI 152 a. 3 3 cu Vi 73 = U < CU tt «> CO CZ 2 o a <X a. T J CU w 60 — §£ -j= i 3 <o — J i t II t A II II 'cu ^ CA 55 "5 55 U- u 7 J U II 4 •- <*> .+ JL A 5, i —, 173 ** .2? « 3 i tU T J TJ T J c r - = ! So 3 3 3 [2 g —. O < < < ~ O-JC « ~• LU 42 "E tu cu § i II <y» — . . O II O tytj I CO w CL CL CO J 3 •c a, a. - CO '—' JD _ "Sxr I >l . ' i i S« B . 3 . •=>••=>••=> O ~l . . o .~ V V V + J< ^ ^ C 0 U Vi Vi Vi + 42 V £-2 42 42 42;ii J< 75. TJ II « £ v 11 1 — tu cu -Jo a. CO co CQ ~~ tu 2 CO II Vi cu 3 2 2 CO .ra u. 2 CO CL X CU II Vi 2 8-* 3 tu IS •2cJ£ S .2? ol u , 3 ' E x > 2 w g. a--73. <u 2 2 L. C L X tu tU X j*> CL ®| ^ * c _>» O to "EL _ 15 w S o 00 ~ " . « § 0 0 " * , w L—C L X tu cu L. II 2 03 tu C L a II L. C L X U a II 2 2 CO 2 II 'tu s o co 2 C L X cu 9- =-.2 42 ra I .2? ci 3 ~ o  cj — u <5x u 2 7£. 11 L. CL X tu I C L C L co 3 . 3= S 2 2 CO to • ~ l JC CO vo T J cu 00 3 J 3 2 y 2 .2 to CO 55 2 J cu II CO 2 55 2 J co c STL TJ CU 00 3 CO W • 5 1 3 £ -=> I >v >> J = 3 . TJ C L tu co > w 2 « C L C L « U. 1^5 P * 9 •5-; co .—- t> 3 • S A IT? ii •A,** .± — I —. I u JC I JC 1 w £ w u ! < < < g. 1 .-1 1 JC JC JC » « M II II II II <X«X<Xf ~ - p ? I a* f f f ! ^ o u £ ? s + V T' 73 + + + — 1 V ^ « • • " ~ l o U + + + JC 2 - 2 S 'o-c? CO I CO w i i i i 11 >r-2 — v a? <N 0 1 f t + II I •<=> o >. CU to C L to 42 CL eo co JS" tu _, 4S-~w tu II VI I « - U tu cu cu CO =~ tu " o E 2 co 3 co co — O — c tu .2 ra E § « cr r\ II U Vi t: 2 ^ t- — tu T J ? a + 0 - = o C L ts 11 « cu to cu r = C . 2 co = 2 co TJ C L CL CO I 2 >-» to •° cu II co 2 55 3 tT LLl II Vi 3 o + + TJ 3 < U TJ a CL I C L C L II V Vi •o Si 2 eo tt tt tttt tt tt t S c w 2 D . * 0 0 1 3 c C L II Vi 'cu 3 O 3 CO 00 7^  -C C L 3 . 2 CL co ra w II to 2 55 I cu .2 0 co ra o oo -O w t , CQ co M II •c i cu La II CU CO X 2 „' tU co c 2 2 E. tu 3 o 3 eo 3 x ; Si y ra II ra 2 55 2 J CO t l 2 cl JC — w CO XI o CO 00 X) o £ E r :-2 L_ JC "> ^Jr"1 II L. CO C L O >< »^  « 2 3 . 2 C L t o u II tu C L X -- cu « • CO CO - cu cu •c a. 3 O + + 3 ' O + + o + + w 3 — o I I ra •-< J ! s •* 1/1 CO ra U II cu 0 0 3 o LO J 3 •c C L Appendix B. Proof Script for STARI 153 c o X I o II vt c u £ x to « - s-* c o s •2 § 1 0 *™i ST .SP ol ° | 3 £ x> O t o 73. — «S — 2* o oo A O W l j j w CQ » I to X 0 co C 73, J* CJ u II CD CJ s .2? ol ° | 3 '£ x> — «> _ £ -O 0 0 0 3 o ^ w CQ t o " ~ | o f u c j *-» 73, i* CJ CJ II II _ J x 2 II c o o. Cu X cu co u. ~~ ~ E 0 L3 •2c£ § .SP ol ° | 3 '£ >i — «> _ S" o oo A o • CQ cu I tu CJ tu 3 J2 £ ^73 ^ c- « t t . « 73 2 73 2 3 CO 3 CO S3"J: a** 3 " B B 2 .2 « .o II t3 II to A ._SP_A ;SP B tu B tu _CJ O 0 0 O 0 0 ^ - i , "to".! cu j< ~ J T: cS <£ w « w U W CO W CO >• ?5 >> to 2 75. I* 2 Cu g" iu <« Cu S u. 0 CO II II to II te 2 55 2 x 2 1 2 CJ co B tS E •c C u A tS II — - A .2 ^ S B CO o 0 0 j 3 ' ~ i O M .s 8 a, 3 to CQ ~ 2 X> .2 w o C u «5 2 0 0 w II t— C U X tu cu tu — 02 § —i a* .2- i to T i . - - I es tS II cs A B 25 •2 ^ CO o X i I o - X tu au 11 r •-• to CQ -.SP ni 3 .2 o a. « 2 0 0 w co L. C U X cu C CN Cj — ca II t5 II 2 .J x to E CJ —i c r . t t " C _>, co o. T C U CN CO •n Cu A II u II to CO ^ CO E u - o 3 00 O " i n . U J X l A ^ o ll II 00 fc» •—-K ~ !£ — cj x CO E c -u. c ~ cr LU ^ II </5 II ty» Cu x U u — 02 § —i c r ~d u i 2 2 to "0-E O to ' = .2- I 3 •= xr O co c u - « r ^ O 0 © ~ O — ' .—- w -— O ^ - ^ CM £ » x i ' " n tu I T cu — CO • S U H 3 XI o — CJ O 0 0 O " CQ t o TJ X; CJ CO - , c r .2- i £ x> co c u _ f Cu CO ' " l a. Q. CJ tu u C u. i i . u-II II II II u 2 xp id i xp 2 tu CJ CO CJ CO tu CU II Vi co « W CO u ->-! Cu tu X 2 u tS ^ * S-S" E U u = • 2 j £ § .SP ol u , 3 '£ x> O t o c u 8 -25 CQ co I 73. i cu tu u. t— II II x 2 IU CO « J U j E •c Cu V O •a tu oo CJ CO tu II to 2 55 3 c r L U 'E II V Vi T3 E < 2 * a <" U II tu v to J t t n >1 V 73. ^ o. — CO E -I CJ £ l t >. E ^ o. ^ tu to I _>> C u C U — . CO I L L . co • — II § V — Vi co X U . ~ l — > H « l ) « 3 co , , c r ~z\ cu U J r £ E ^ O •-=;•« + I] c r — tu — O o V 73 « U - | CU j , ; CO j o .2 - f •5 CO CJ 3 x>"-; 73. v - ^ - i i JB- — -ie. *S ; I _ t^ ) 7^3. !j Cu CO cu ^> C O I : JC S H E y—-< E ^ O u" : § S ^1 II w V T3 E -|< VI , o B E . O < < J CO 1 I II CO CO w II II "o E ^ O tu cu ; E E o o s i i 3 a-L U II A II II 4J A II CO ll U . cu co co 3 To .FT U . U J 73 '"^ 3 II c r * o U J ~ co o 73 + . u. + , II : v> To ^ c r 2 ^iS ciS uj w cu * ll t o <U CO CO E •c Cu 73. c u Appendix B. Proof Script for STARI 154 cu 9 « ? if , ~ S3- « II ^ L_ _ ^ + Z , II W ? - 1 "if- -o iS\X ' riS - A S S) l a g f l + O v w S . t o c . II II -JJ J l - S o . 1-ass. 3 7 s.B l^.tiv § j S - ^ I i i f i 1 g t J l « I 5 - £ a O A 1 f.0.5 J»g 3^ 6 * | ay >:^si o _ tu o. _„ _ , ^ _ — — _ — _ oo"- w S oox^  r" O w " r J r*j >ix> Cu — + i S e a w - - , < w c a - r + I S 2 goox>r">5 TJ W T J ~> ix>cw . -+w^3 w - - i< wra + + 1: S 2 -5, £ S 2 o. 2 0 . 0 . 3 r o. 3 -5. u " u S u t n o . w C J - o . M H o . l o j r u - 1 ) i _ 1 - - k . ( u t a o l _ c - ( 0 . _ co u i _ 1  13 11 11 ll 13 ll Is 11 ll 13 JC1 11 13 11 1 «. S. o. 2 w a £ 0 * 0 0 « I 55 te 2 x x 2 .J 2 x 2 & 3 x S a S 5 5 0 . 2 a 2 5 a 5:2 o . 5 -55UJ I 0 "1 2 i 13 ' w 00 • = 1 ' < 2 : 5 ^ 0. 1 2 z o c >. X I X 3 cr _ T3 2 l ca U "ca u zi « 4^  o ~ - =5 y 2- JJ o — I N a.x> 1 o. a. ca cu w II w " u •— 2 la tS 3 "" o —• w •£ i- o. u — ts o x; 2 Z I 55 j 3 •c Cu 3 o 3 O + + II v 3 o + + -CN Cu I II V ty» tu t o CU tt.,2 — uT 2 — S - i J tS", CN Cu I x> — & 2 ra, J) "o. CN t o m XV ' - 5 . S~ I <^  x^-? Cu Q. g-CN _o. I — ra 2 •§. « U J tu ra tu • c o TJ + " -± , a. o >l v a-1 I t 3 II O V ILU II tu I 9~>z^—-. I 11 w—, — , cu O t o + w + I -J C O w Z TJ TJ 3 3 < < —' II II ^ <y» tu / - N ^ tu 3 § ± + ra + 3 j u T A 7 « II o A || .2 1  5 1  ^ a £ 1 a § uT~3T 11 11 —1 ty» "g ty> < cu <-> ^ o O jJ Z ?• + ; 11 1  11 ~ i : Vi ty> J * 1 1 1jc j>t JC t o t o t o 32 2 o. ra Cu S 42 C O O S JC' II t o tU u 13 t o ^ ra to u „ ^ tu >i2 o. 2 Cu t o a CU 11 13 •c Cu 2 J to 3 2 cl 11 lu 3 O + + 42 2 ra cu t o u. ™ - g"^ 3 tu X •2 42 § CT .SP Cu U | 3 ' c >. O to Q, - «3 1_T 2-o oo~ 4S O L— CQ « ' ~ l tu x: u o i -ra C 3 . S o o CQ Appendix B. Proof Script for STARI , 155 u to + 2 s*i. S «2 co tT w ra UJ T J C f 2. " - S S 55 " f l £ J \% o s S i I! A - I S" 3 2 2 II TJ II + o 1 TJ 1 1 t "«U Ii O J + 55 — 2 = .2 ' 2 1 - , ' 1 5 u o 155 ra O — , S J j i t » M •n o 2 " " l 5  eo  • - . £ j   _ ^ - .SP — _ 2 s ~" . C T J T J 2— 2 to « i l « 1 - 5 5 f .1 i I i l i ! E v ^ i - T J X I S i i n i 5? fci IfJSs .1*3 l o l 2 J S _ 2 w o p ™ « i £ - a " V v + ^ o » a isl; _3^a -g till •» Tf^~-±i ^sr-0 . 2 •i-V Q. • • 5:. o I Jd • - j ? - - X I — 2 - - I c o i - J S i w u f u tu 2 o.x> N , 2 •=, 2 - , ""H. 2 a 3 " " a. 2 ^ Q.TJ • § a -S to So. J z its j=" II a s «a v s ts <» s g g- % g-ts 11 2- — w - -ij 11 g" 11 to 11 « ^ 11 to v 11 1 1  1  1  55 2 55 • - , H 2 55 2 55 w 2 55 ~ 2 £ 2 J 2 J u J 2 J 8 2 J 8 2 S 8- 2 K 3 t o C - c o c o c o e c o c j r a c o S ra co <g tu co tu • r - — — V D w w w . c w .f- t j w — CJ •—- _ ^ M n . 2 a. =s 2 2 2 o. 2 a . S; 2 0 . 5 : 2 2 2 2 tu t i * I —> CT ^ I 55 >> ra CL —• ca O .=°U x 2 O ca " £ 00 TJ ^ CU - >i 2 o. 2 C L CO II Vi 42 2 ra CL x tu c tu X • 2 c 2 § .^1 00 X l s — O to C L o oo JS o w L _ W o CQ t o tu I _ _ cu CL — cu to •—> t/J M P3 Vt u. , . ne II g i — 1u •~i o" 1 CO J C CO t o CO <w a. C X 2 X ra ra CU t o — ts ,—. — i_ c C L X X t= OJ 'JZ o — • g a s co " ~ i c r .2? ol °, £ '£ >• O t o C L o oo 45. O W L _ w CQ « I cu -fj cu ra C tt i* cu tu CL ^ cu tS 2 42 3 C3 *—i CT" .2? oi % O co C L o oo 45. CQ 52 i tu x; cu ra C o. S cu u I II II A 2 N 2 II w o 55 u -55 S r- 2 U . 2 — CO „ CO . c r c c r c UJ o p j O ra ra + cu + _ • i oo .1 oo ^ t o J d CO w •£ 42 •£ = w = w CO co CO t o ra II U A II A ra o 2 T J 2 cu — ' ct I " t t tt s a A II II cu cu 2 g CO + — + tt X cu 8-* CU — 2 c I u  ' ~ - co .CO ra 11 co CO .SP cj x 2 _ S & 2 = ' 2 ll 09 A 3 — . c r .2^wi c t o C L w tt — co II L . tt A II II tu cu 42 2 § 2 CO + C L C N + X C N 11 ra CO .SP 8 15 2 o tt ' <u 00 = ~ ra cu 8-tu — c2 § .£• 1 2 w 2 CO ts X 2 to II 55 W C L X 3 CD a? A t o 3 42- g; £ § 2 <N S; _ ^1 " ~ l •c tt t 0 . 2 1 >. ra 2 tt ts tt 2 CO ra II 55 2 j ra 3 CO Appendix B. Proof Script for STARI 156 t2 3 4 Vi c < cn •-=; u .* co "i U II o V co CO ^  cn 2?S ~ - g—s > > - ^ t o II CO tu c O — s J2- — ll I to V > - « « * e-u ~ i w ra co — .2 _T *3 "3 g - g - V co"*9 ~Z w ; i » £ CO C L CO i'n'i t f l {B II to £-> C . C O I ~ II •a c . < s ^ ? CJ I i S II w V W C II ' vi : Jt< 4? "I BJ = • I T> H c TS P T3 -a c c < < CO CO II II Vi vt 7J To c c o o CJ" • ' - ; • § -S II r, £ * » _ 7 3 i j 2 to" 3 o •£ -•~2 55 M a — J s 3 i i .5 S M -2-II Vi S. CO CO lS\2P X a CO co c- ~ - s-* C 11 = o co a CO 0 0 e l " . 2 ' n O co "Q . — «3 X 8-8 0 0 ^ *—- . a ~ - e Ti * V CJ II c ? + """l te M C L t o X Zi A f l l ;3> i 2 .op Ti oo35 o w o O co -a\ _C CO g L M CO tu tu = 02 3 — o-u .2- i c CL C L — eo C L X tu CO J c •c CL U c o II v> P cu a ? ii => 2 ~ T i l CO o ^ I T o Cw Vi J O m + a-4 "E, CL co II 2 CO CO •iff: II CO ™ C O •8 S-2 x CO J= >=V73 — 3 c cr Tj u, c— CO II II CU to « "tu eo _ c tu CJ t o "5 2 U ^ I J" CJ ^ •5 "~i CJ ^ eo >^  CL " 2 — i z « t o « C O J c •c CL tu 3 -z; eo To U U, ~ -—- co —1 3'JT S «& w 2 t o — CT2.T: _g> i 5 3 _ 2 a *> :^r<lO" = T? w " I Z - S C - L L T S - * . o ^ w g ^ S ^ c n S ? ^ g ' S L U ^ g . ^ « - S" — + 1 -2 £5 ^  .2, 2 ¥ 1 ' " i T w f^S'ii' f^S"^ "™ or -2 ^  ^  ii, 2 — c tu — —, -i CO "l ~l _ 2 o cn l ? 1 1 1 c tu L3 c tu L3 + ULl to '"V~l m 2 6 0 o co 5 l l 3>J>s J ^ tS 2 " "> Jl .d-E o co 2 o t o 2 •-, X oo-* J< ™ tS c 3 J< .— co co o ._ C L CL II it Vi •--1 o •— c: 3 •— ci2 3 I -CT •— co co u _ •-• a '~i ?T 35 > > "eo I • • — 1 v V T ; 11 era —1 c-r « cr J< I 35 > > To I * ™*J. t t z & h S % 34% =4°i ¥$2hh$ 4 £ S w CL 3 3 _ T Z 5 . 2 - o | . ± ^ _ u w c t _ t u w c t 73 ^ _T Z 5 .2 m >^ oo-^, , c f c r o ^ c S ' a •° cn r a + + 1 ^ o 3>" 5 o M n • 2 . t 5 P i s 6 - ' ° "° -,^co £ £P Jp -a'-SoS eo«-| eo«-| u Z o £ 2P v, I - r » i S s s s <> L 2 H-E 2 i i J«: • ™ 1 ^ I • „ m • - co I ed c - ^ > ~ ' " L f c w . ^ - t u ,—, cw I m t o ^ ' i o a -^1 l l n ^ . 2 - w w 8*-c a-^ -c n M a ^ Is H S t o 0 2-7i g.2 g 2 V C L - 3 T i S T i S J-sTi. S - c S v »> ^ & u g - " 5 - D " 1 ' - - S - L i C J O & U S g - C L ^ C O ; ~ ? >-> L- co 0 — ' CJ — 0 3 Cv K L . . " L . ^ L - c o - J u — II r t r H II ts II ts + II i II II II II ^ II II II ts 5 2 ° ° t e 2 53 2 55 2 — te2 te2 « te a a 5 5 ^ 2 S J S J Sag- S- S S" s ^ x 2 2 J Ss - _ c t x 2 x 2 z m c w c J " C U t O t U l O _ JJ J S c L l 2 o . ~ t J S W 15 5 5 5 u u a Appendix B. Proof Script for STARI 157 JC I >•> XI a p tu p si Cfl M °° So to '—' c 2 . o o — O - s tS o £ See to —• — _ o r . - ? j : "3 V 73 A 8. . >iuj ts to t"" • £ u •8.3 >. a. "S £ tj „ 0 0 ll II t o x .5 tu t3 S CLJ= .£ x CL '—1 w 2 55 j c •c a. ^ 2 ?=: 2 tu io c _ O M -o g>a C = 2 2 O _ U -» xl 'g 2 ^ i - - £ 5 t: A g. = «- it £• i >» JO •' w - tU C L C L to 3 J — >, i c ^ ' o > 1 ••a o i op O i io +" o o i _ o t : eo 0 0 5 tu ^ to o- 2 £ C L x tu >; a a. 2 CL to eo y II eo a 55 2 J to c a to tu c o c < 3 o tu v> 2 — • » — ,°! c U < .52 a ~ CO tu tu X 2 .no u c t ••5 o " 2 H < " - , £ • = _7s.Se _ C L tt eo 2~ . — u > ca to 3.." Sit _ ^ CO II „ _ U .1 a" ? tu N II A tu _ II N S v ll tu w o o ^ ' o^ >o II CO a 55 2 J to c S i . tu CO c o 0 " i i a •8 2 T 3 -> tu o 3 < © II A n < X> w eo " * - a § — C 9 w ca a. 'I >l £ tt o S l w O "o "2 II •-=;< II / ? n tu V Y " C ( f l i S o 3 o tu-tU cu 5^ to t/5 J c •c a. tu c 0 1 o E ..I cj O 2c§ 0 0 & 1 c 8.S >. a. •5 2 oo II II tS _ c I _>> cu CL CN C L I CL I C N CL O + + o II V ty* •~l o i + . + • II " V ; Vi B- 73 73 3 II ^ I tU v> A to " A ~ 4? !! c CA II — A 1 I  c r _ LU ' II - " ^ l 9 73 cl.S tu c o + + tu , II ' V ?vt ; ' 0 1 -o 3 CU < — w CU u-,t i e. J* w i to 0 _ ' II Z 42-w w _ <= c o < < Z .o.O •o _•' Jc!1 C co co < II II Vt vt + 3 _ O II O CU • *—-, "2 >> o i : j j ^ C L CL co c , o ll - a I C L C L ^ 2 Zi to •^ ?55 2 l 2 c ll Q. X o '£ ->l2 Q. 2 CL co eo „ II eo II « 5 O + + ^2- 2 — tu O 0 0 O — ' CD >2 cu - £ CO tu — J2 § .£* 1 E x> CO Q, w CL — CO 2 CO Q. 2 CO I J J " CO co c tu CO a BL a a e n J 5. t3 — a a- ^  i a .SP o I' l l — tu — _ o oox> O w o " 3 CQ "2 tu g•£ ooa c« w f 'C j s-I CL CL CO C L X CU II II X CU to •c CL C o x> o oo u .1 S B a y A II 2 x L5 •—• u u B Jl ^ 0 0 _ Cu to ^> I I -cu* u - r? ifl fl w « a w « ~ 3 C u — ' "> c cr co 8-1 u . co n II x 2 CU co •n Cu CL + o + + o • — CU - § § a ti o 2-g S to 2 3 cj cu "5, •5 cu -—' it. co 0- X j»>si CL CL eo II 2 tS tS Appendix B. Proof Script for STARI 158 o c • 00 A II ^ II 00 | | — v> TT II Cu 55 £ x ra O 3 X l oo o A ra U 3 O C T ra cu g - ^ 2 *- 3 . 2 II C L to — ra tu 3 II ra 55 S. 1 1 n ^ 2 55 3 3 _ i O to c 2 00 c -•2? oo tu tu — J2 3 — . - = ^ 2 ii Ji Tj • o S 0 - , . . . o n x > | Z C L i2 T - 0 1 2 g 3 * 2 55 •r 2 S J h o to S tu E *—• n tu ra V) to o 3 op 0 0 3 3 o o tate 3 Q >> to CQ "ra ' tu 3 u ra C T U . 1 _>> 3 . tate; repl 3 . 2 CL. to II C - to ra o w tu II ra 3 II CO u 55 00 2 55 to — i 3 ra | to 3 o to c let ud let 2 B. X I o La X 2 tu a S »> 2 3 •n oo 11 II £ « — *- tu 3 II to ^ 2 55 - ° 2 .J O to c 2 2 a . tu s c ? + o I I "-^  _ >. — 3 > w -+ o >. II A 3 2 = S A tu to 3 tt. 3 3 £ n tu (A -—• 3 9 ine + + o + o au 3 2 >. II A ll A o .op § .00 3 * 3 1 3 — • 0 0 O o .2 - i , 1 II I M 2 X I o o o >. I I. ' 3 ra tu II <N < : tu to ra U II C 3 00 00 u oo 0 0 1 3 : = * -X i o to j 3 •c Q. + O >. II A 3 o TJ + — o = 2 o >> V 3 ra A II II 3 + 3 O II ^ V II '•=" A TJ 3 ra C L + C tu to 3 T II >>o 52 n v + 3 ra — - V o 'Jo O. >. II A A I  § •= O o 'to C L + c 3 tuto ra. 3 ,^ + • O o >. >> II V A 3 3 ra ra A II II o c 2 , o ra O on tu Xj T J X 3 O ' i ! s to ooj: 2 ft .141 t o C L X ! 2 x i t u CL 1 W 3 ' C C L O + + o o C L X tu X) o tu I tt « o « In U. op ^ J5 § • 2 a & •"^ A ii !! <*» II tu —< S II + «• ^ O tu ra w 3 U - ? « 2 o I 3 5 . § 2 2 •= ra ~ U tu X oC L — XI TJ C L tu II II l > . L - tu xt* C L x 2 eu to S-42-a. i C L C L •c C L to I TJ ~~ tU 3 X 00 O ~ — 1 O 1 E 2 2 i o T J E "to tu tu I X - t t -J tu 2 -g 3 ><2 ra Jo jc 'Q. ra tS I 1 / 1 £ t o 2 ]I 11 1 0 2 ra tu c II to 55 £ ^ 2 55 i cj x 2 ' 3 ^ ° 3 o. 5: 2 2 a . oo eo 3 * A A '> II II 2 II II _ Vy V, o —, ' - 'o o to || J'. '— w 'lo i l w II II >, •• . . — CN 3 — «N 3 3 ra 3 3 oo oo oo oo~ — S = = x , 3 ra X X o o o o o _ — II Vi I? 3 3 w 3 3 — cr cr „ UJ LU •— to •5-V=, x > 3 < tU to ra U II 3 •c C L II Vi CN 3 00 3 o cs CN CQ 3 O X C L O fU _ll ^ L. 00 8 3 ra o <J ra 3 cr "l • ->i 2 3 2 C L to co cu II 2 55 2 J tS c 2 B . CN 3 op 3 o L. x 2 cu ra CD to 2 ^ 3 ' C 00 11 tu & •= I w S 2 ii 5 « <N 2 £k " « ^ 2 55 x 2 J O to c 2 2 a . TJ cu eo 5 I 2"iL Appendix B. Proof Script for STAR! 159 cu 5 H X ) o u c o + + 3 ^ o eo B " 2 S •c _ s.--to c— >—' to t l ", s e n II 2 55 i tu eo X t o c J U J U ' _ to "eo J2 U ea tu tt. ts - 3 2 ttT a. 2 a . C L co CO to ll 2 55 - J c •c a . .1 — 2 X ) co J U J O a . U s "E .2 C L co eo w II to 2 55 2 i co c CO ^ 2 , CO 3 — S e .J- , to • s ^ 5 2 6 & 3 » tu CN o CL tl) co 2 CO 2 J t o c ll O II V v> •o _ -o *~ c 2 < CO ^ U o 1 § S II Si >>:=: to c o '•=> c , > /—v ca • * 0 ) 3 § ttTS <=>-?zz > i c w w to 5=:-o < II u JU JU ^ u to J c •c C L •a o oo 3 j= 2 O CO CO II CO 2 55 3. + "Si 2 v X. 3 — CO >» II . II 3 CO J 2 J w -a + 2 eo - !! &. eo " X eo CN co « - £ E ea 3 a->i 2 a . 2 C L co CO CO u tu "E. 2 C L to to u H to 2 55 S i . * t o C L + II V 3 >> A II II II A 2 • / = ; tu « C ^ o + + ^ o ' u ' c T 3 O M re • y TT = CL. til • O 3 Zi II cu tu o c i O . i . 'cO I-U ° -I C : ! o ' O C II A ^ ^ O C < ^ tu c o ^ O c 3 P CO 5, ii X l o x> o . 3 3 :>-> O ^ II II ^ V o II cn X ) o —, V rr -J IT; 3 S "-• *cu ^ "eo C eg 3 O — cr c tu m — J* 1 s a . - c ^ • c u II + c V - o v» t ^ f o -s; 5 : C L < O w ^ CU i l l - 3 T3 C C < < C _ S A O c ~ II S-io<A -V - 3 " 3 3 C < < X l o c OS X i o X l o u 2 — i i u — ? s .. ^- -= 2 ^i-S 2 a-.—- t o ll cu X l O A co I' — 3 CU CO -a + •o V 3 + II _ A • _ . 6 0 2 3 o , ^ , 2 2 + + — A | CO — _ cu + • O 2 + 3 - — eo — - -o x - — 2 E « . • 2 S i n 2 E — CN m XI o - 3 + 2 CO + i A I  S >C 3 p ^ J t eo < N - + : X l ^ T u ' A c . II O ii : 1 J5 2 >< cu ' .11 r: 9 >; eo A O. 2 3 , o II 5 E S 2 g CL XT 1 II II CN cn x> x> >ls D . 2 C L co ra cu II to 2 55 2 1 co 2 II ? 3* . i , CO O *11 3 — CO 2 E x - A E + >. n A 3 O O CQ •o II > 1 — X ) Appendix B. Proof Script for STARI 160 S 5 .J_cT •— CN 3 ™ + 5 ~ CN 55 Cfl U " C CN ° 2 . X . ' r a r o g 2 Cu II ra 2 55 v ra CO CN CL a . 2 0. co « cu II ra 2 55 ra J u ra i CO E -S-o c * ? •So X rsi to CN _ 1 TJ =°! si 2 ra • § •» c II ra e 2 55 g ra | ,S to £ ^2'EL ll S 'i ra x i o _ 5 - cu c o + 2 (A /—>. 'a? § — 1 = 7 ra O t S U = *i 2 2 f tt ra c ra — • - o '— — ' CU A II £ C L to 0 1 I "to C L tu c ^ o S-o ? ts =t ra • >»W W II "<B o ra n ra 2 55 ra J to a 2 a. 2 ll x> a = ° ? CL co a CU II ra 2 55 ra I to c S i . tu c 0 1 u e o + s S ll o-It 6 -o N S H o <y» u o 9 £ c o . tu — 2. « I  — tu z S II II — CN X I X I C L to n „ II ra 2 55 2 I a. + cu CN X i >i 2 tt2 a. co ra II a 2 55 ra 3 a -°l > i 2 C L co Q to g.E II v A ^ o S cu tu N N 3 'lo 2 a. >> to a c n tt. CN _ X i ra -3 CN "CN X l iS 'I •a — T J 8 < p o _ _ Z a. to 2 a. tu >, " o ^ ^ 1 8 cu " w " 2 H ll n !! 2 II a 2 55 2 ' a . I 2 5. — CN CN CN X I X I 2 J ju _u •C a. CN X I OO 3 1 3 0 0 n i! * II n cu tt. f-"ra ra 7^ 3 3 Otjj uu 3 — . O cu cu .2 § § & II 1  ra = 22 ra ra X ) CJ w w ~> tu tu ra . — 1 tu — 3 cj O ™ Jd CJ 2 "O ra _ 2 „ C L a> • C L <^  1 rt rt u Z II a 2 55 2 I to •£ ra tt. tt. — ra 'tu 3 o . "o II 3 ° -o A ^ ~> c r ? < o ~ Z J ^ ra ra CJ _ ^ . cu cr ttl 55 tu II S v J!"° A-g •o< T 3 3 tU <f 3 ^- o A II CN tu 3 o "« 2 o. ra + 5 55^ tu -3 9 !E 9 ~>«N 2 £ o ra ^ cj A - v > l 2 a. 2 a. co rt cu II ra 2 55 ra I to 3 2 B. CN a. • a . 2 a. co II 2 oo tt. LLl II V «•» T3 3 < >—. C ? II V v> 3 o 2 o Z tu c o + + tu II A + 5 II V 5 "* O CN I " " 5 « a. « T CN tu tu L1 II ^ A 1— ; tU — 3 CN O cs i>CN t. ra 3 => o Z A w 3 — 3 2 "ra o 1>> it H " C T > ^ A .E u — .2 — ll 1 2 II 2 CN II II CN CN CN T CN a . 2 a. to II ra 2 55 ra l to 3 2'S. 2 ra CO CN Cj. I >- 2 >> 2 a . 2 a. co II a 2 55 ra I a. 2 a. co II ra 2 55 co c 2-g . 2 ' g . CN a. 3s a . 2 C L co ra cu II ra 2 55 2 1 to -g 2-g . 3 O ' t o C L + cu 3 O 3 II V •o !t . _ cu 3 o cu 3 o a. + cu , tu 3 o O to o 9 5? II ••=>, < i 3 'O ° 3 ll 2 'u A 9 I  CN T J 3 < tu "O CO • ' tt. II CU Appendix B. Proof Script for STARI 161 3 CT o •o ' t o o. II eo tu co o. e U w 0 2 A i «  + o o Z n 2 55 u -3 *CO o. II A ;3 "eo w A + — _ Jc i V II A CL i f II g 3 " •ww to « t o c CL ts • - — a — -° « f A ts A || ^ II I .* A - - - v S 73 -O h l _ co eo .22 3 3 t o cr o - >. UJ U 73 S'S'< i> V V » s • o o u , ll ll '' 2 ^ = _ 2 i -> £ £ in E 2 H 2 ^ CO —4 _ £ 2 •o — — >> XI •_=" — CO 2 = o c r CQ o . 8 -4 a _ 73. 2 C L C L co a 2 5 8 a C L • ->< 2 u CO S a -2 — •C xi i -u _ " " l C L CU x>' 2 _ a co — 2 J X) co c _ CO XI to 2 J CO 73 tt. qual UQ CO 2 deli 73 _+ T3 + tu tat( c to tu o c o • •o psi — II « II A 3! ~ C L 2 Z. x> 2 >> 2 tS z a c 2 ll CO _ t u t u t u p M M — . CL CL* CU Q , J S ! CO a CO 2 II 2 II to 2 co a CO CQ J 2 j CO c CO 3 let pri tu pri — CS <A XI Xl _• 2 => o o -C Q « . 8 >la _ 71 2 CL C L t o u co u c o 55 i f N S « 2  J . 1 , - « J . XI CO _ CN _ _, .3 =5 a a CL CS X I— S" 2 V CO £ s 2 -•c Xl » — C L CU . „ •c -c 2 tS * 2 c s 2 c l — 2 1 xi tS ts _ _ "a. CN CN X •a c < o Q £ c j -J t t . c M 75 : A 3 - cr "o UJ . co tU •a o J l 2 z °-<u — CO II 3 CN w — -a CN C f < CJ II CO 2 55 o C L . _ > s (U >•» C/J • ° tu II to 2 55 TJ 2 a. ^ 2 - 2 C L co co w II to 2 55 s i t o c _3 CL _CL 7 1 2 C L t o co w II to 2 55 tu O t o L. C CO V CN XI 7 s 3 — CO o II II — CN CN CN CN CN co cz X ) X _ Q . _ _ To iu U _ a eo to U- 2 CO cu §•£ o. 2 Q . cn co u II to 2 55 2 J to c o CL >I *l >» XI II cu u cu o 2 _7- 2 _T 2 C L 2 co CL t o co a CO J 2 J 3 t o c >l2 - 2 C L t o CO W II to 2 55 2 J t o c jg'g. C L >lis a . 2 C L t o CO II to 2 55 2 J to c X l o •o + *CO C L II A •3 cu O O + — CL « — i x i tu Z ° 2 CL A tS X II —, I X l II II V -" ca CL CO < thes me) o o CL $>= X 1 ate; $>= >, CO X i 2 II to II tate J xpr t o c tu ud a ud a c ^ B a < to -o 3 3 C T < UJ s S II II CO X) cu Q . "5. 2 C L co CO II to 2 55 a _ Appendix B. Proof Script for STARI 162 u + 9 + o >•> V 3 3 A O "to C L fl 1 _>> C L tate; i "a. tate; >! C L tate; >! C L tate; O . t o C L CO C L CO C L CO CO 0) CO 2 CQ B CO B II to II 3 II CO II eo OJ tj 55 B 55 B 55 CO 1 CO i CO i CO i t o 3 CO 3 t o 3 CO 3 let pn let ud . ju ud let pn X> o + II o V ->>0 V TJ 3 + o CO C L + ts .s °-.+ + u ' i . . i , t o >.2 S A M | j II r a • o 3 co '5. II ~ II V O •o 3 + o cs "o Q + o >> V 3 O >-»o • — II j" v ts O — to — =- + ..= < A 0 ^ . ~ II 2 "T "T II — + II 2 O A Q >,o + c tu o V + o o tu + s« + tu 25 + S c •-=• ? n : 2 + V & 3 ••=> v 2 "o . tu -e o + + o CO C L ^ cs - + 3 . tu > c ._ ? 3 .±, II O V C L II 2 >•> ? 3 o O C - II 3 A A 2 i >, ii o || Q n 8 "a ; M + 55 + II O y a*<L> + -' < X i o II cs X l o tu ^ -§"3- + w ts c 5 ? CO .£ o 5 t^s tu CO w 3 I I <* 55 C N ' . I I O tu ="9. II V v " v> 25 o g •= ? + O g "lo II 55 A _ II O II 3 ¥ + ^ o tU .. §5 O A co tu O TJ CO • < tu c ? ~ o • O A ^ § V I o !~ O O ' eo £-| | ^ CU " co *—-r < o . Z a. 2 JL ° -+ T5 55.+ CU _ o + + O *to C L + 0 tu _ 1 3 — • X . o ° + ts + S o CU tu 3 3•>.2 + o ts tu 2 c Z O w II O T J T J V Z 3 3 55< < cs1 X l x> o o X I o I cr i tu tu C L X X A A 2 II co II C co , t- l i . O cr or II II Vt Vi O O II II — cs cs cs co ca II a cu ! l J>c: to c^c^ O x i cs — x £• O "cj O 3 CQ cr u « _ _ _ C L C L C L 2 tu C L co « cu II M I ^ 1 5 X I co c 2 2 D. cs X L. S" 2 O CO 2 cs I S cu — C L ' ~ I ' C 2 « x^ 2 - - - I % 2 X 5 co "^ cu II II I - IX l CO C L 2 2 2 on _3 'IS C L O 3 + C L ra cs cs J D 7> II — 3 " — O .-S5 cs •o'J. r £ ^2 w "—' ob .ES - 0 2 2 ? A - y II on _CJ A Q. 41 = E u Z _ „ 2 w S C L co O || || 4; ra t u II — cs u2 II ra | E 5 § 1 5 cu X l X ) Q - to c 2 2 2 ^ 2 a. T3 tu £ ^B o .2 3 O X I L . u a tu CD tat - CO tu C L 3 od te; _ 1 te; CO 2 C L ra o t o C L CO o. 2 ra 2 II to II to 2 55 2 55 ra i 2 j CO 3 CO 3 2 pri 2 ud ^ t o II s Vi C S o S cs — 2 _i< o "ra o 3 CQ <T cu u. 2 >JS ll II ts • X l t o c ^ - - 'C cs cs x 2 tu cs CQ t o 2 S I S cu — C L I • C 2 •-2 .t; tu co L . I 5 2 X i 0 CO w tu II II £ 3 1 5 X ) co c tj u 3 T 3 — co + C L J5 O 2 "5 ; ^ C L tU w T 3 — ' + A co >—' C L ^ 11 55 • O A _ a Z •D 3 < C S ;cs x •a 3 < C S cs cs 55 - C Iu II — 3 * C S o -C; cs >, 2 w ^ CU M M C L M M C L CLI CW. II — < S L. C S C S C L cs cs X — — tu X l X u u u li. II ra m 2 55 3 2 J cr to c ffl2 S. o C L . . >•» cu ^ i S •° tu II ra 2 55 ra | t o c I'll Appendix B. Proof Script for STARI 163 u. tu 3 o + 5 5 o tU = + ^ = -ll ? _ tu ra o co tu ca a" cu >ls •5. 2 C L to ta fl. II 2 to ca t o c C L * * x « tu ca £ « •n _ =s «*. JJ -1 tu x> 11 II 2 co S i . .. 2 CU CO Xl 0 CO u tt. to §•1 5.3 C L to CO tu I —. eo I eo II 2 to S i . >. 2 II CO 2 to •a + >>2 — c — .2 i | "»<•§ CO o E « 0 0 2 8-CN i. tU o D . >•> •=1 >» X CU ^ .CL. 2 2 to 2 CO CO J 3 •c C L A 25 25 II -55; 5 5 II '—. " > tu 5 5 e ft S t 2 < i= = 2 ? C L 0 II . i ,  a5 A a i x C L C L CO 2 2 to 2 tu 2 to 2 2 co j c •c C L 2 to 2 to CO 2 2 55 j c " C C L 3 X •a + ' 3 + •-=> II + o V + • o • 3 2 o + • o 3 5 5 co o 5 o ' v .+• A II •a 11 8 CN tu o CO 5 , 2 C L co ca cu II 2 55 2-g. U x> 2 S i . co -3-C L r j j — 3 2 *C r*"1 ' o — I | 2 o CN CN L J c I l — O j?.2/"cu S) 0 X X l O O T J -a 3 3 < < T J 3 < 3 0 0 X i o CN co I >* _ to 3 0 0 = — tu °5 CN -cr - X u 2 o .E CO - -U tt M « CO I I 3 OA < ^ 2 . + A I! 2 2 2 2 CO to vO • O C L C L 2* 1 >. 2 1 _>> 2 2 C L 2 5 . 2 CO C L CO C L to 2 CO 2 CO 2 CO II to II to 55 2 55 2 55 j CO 1 CO 1 3 CO 3 CO 3 pri let pri 2 pn VO C L ^ 2 a . 2 C L co II to 2 55 ca I S i . TJ + 3 o >. V ^ 3 — 2 CN A — II 3 II OD + o >> V 3 + 3 3-" CO CO 3 E o 2 T J x~ eo >-» 2 A II u — T J 0 2 + 2 o-o 3 ^ v x — 3 re » 2 3 3 " 2 E ea O O + o >. V 3 2 A II II 3 "OCN >>_; A ap ra x> — O O o + + ra ^ 3 5 5 O " a? ID 3 55 u • = I 'f ? t 5 5 2 >» cu > . ? Y -, .A C L O^ K 3 II ra ^ tu «> E 5 ? A x ~> II ra ^ II 3 3 w n 1  B " CJ T D C N - + XJ 25 A 3 1  9 It 5 5 0 55 3 to 2 + >• u + "o o v "I 3'g L - w ra C L > . I a" tu u II AII — 5. 1  y « = i CO 3 11 1  2 o CT ra c U •-2 ra x i o . cu xi Cu —' I X i x>*~J C L C L CO II cu , + II + 2 >j ^ ^ t f + 3 O C ^ A II II II A 3 CO O •c a. Appendix B. Proof Script for STARI 164 55 => 55 • C P 55 BU cu ^ AC o + + o cu c o _ + 55 + cu g t '5 3 I? + O "33 Q. + II V + o g II to A 3 </» o + + o 55 u i g> C . § ?« + + . + 3 J O c ( 3 tu J etj to V I!-V II ra B 55 S i <N D. >• B >> a II a to S i E £ p o •si —' TJ « J= a - 'i H s to ra 5 " a « „ a c o + + •-=> "to C L . - « 55 tu -—> ^ o tu T <= . t , u 0 o-= t t u 1 ti » •=> £ IS 3 . - 0 2 -15TJ JU II v 11 a to 11 ** 0 0 Si 11 ra X> u _ ~~ tu >!a Cl. CO e o + tu o tu I & O O + + tu t f O to or U | •->ia Ct. co a "s_ II ra & a 55 ra I t o c S o . 2 ra tu II X) II a 55 ra 1 CO C S i tu 3 2 + c "In C L . tu 3 O + ^ c ? tu X s i S 3 ? + CL w + O + + c tu tu to co tU 3 O + + tu X l o _ s ra •—1 tu M 3 3 .a uTs-1 o Z II x ._. TJ tu >> a C L co ra tu II tS B 55 ra 1 to c S i a. >la •5.2 CL co ra w II ra a 55 2 J •» 3 S i u tu a. 1 o C L . . tu S i o i x o UJ 3 a a ra 2 ra t o CO O CL C L 1 1 >> _>» tu C L C L 2 CL C L CO ra ra a II II ra a a 55 ra ra j CO CO 3 CL + O + o >> A II II A O M |~ , I -> §> a xi ra "§"§ * A II II tu .11 "ra O 3 11 V •a 3 < _, ra O 9-, II ra 3 O S 11 cu _ ~ - cu A !! 11 II VI 7> ••=> E -h" .!£ *« C3 >» S-1 " < o "P u ts 3 co ra ra t o U o •O H eS r a 55 II to I — — II s s 3 •n C L o + . + o *co ir C L a ^ ra + to IS"I2 55' 'c "ra -o 3 < tu 3 O - + <y» o 3 < 3 ••=> V "O = z i 1. —-tu II tu 3 , o • II A Vi II CN O — + « tu ra to t_) •E a >. ts 55 o 1  ^  V t i 3 S i CN CL 3-•c C L 3 C P LD 3 O II A v> O II V Vi 0 T J 3 O II A v> O + + o II V Vi cu 3 _ ? < 3 55 U 11 _ 2 « § O -sx § 55 CU 1 — 1 3 Tt O CN + « 'CN CO ra >^ a a ~ c — C L 2 " 2 O " ^ C L to C L to 2 ra tu w tu 2^ II ea H eS 11 a 55 a 55 _ 2 J 2 .J CN 3 V 6 vi z 0 55 II IICN cn CN CN ra ra o + + w > T J '—^ " i S A o 11 + 11 + •o -^?CN _+ ra .'Iu CN . 3 ra o '—1 + CN o ra C U tu cu . E S £>T5 w CU 11 £ y 1 C L C L ra Tt CN 1 3 i i cc fN C L 3 s a . 2 C L co ra w II ra II Ca ccs a 55 a 55 ra I ra I co c S i CN OJ a u to •5 >is a. 2 CL co ra tu II tS a 55 2 j co 3 S O + + •-=> 3 CN O. >ia o II ts a 55 z II T T S i Appendix B. Proof Script for STARI 165 o i II Vl + o co CO u II u S H II co c — O U + _ cj "eo — 3 O o-O CJ CD J 5 « -S ~-2 _ C L CB CL co w L. 'I CO II a 55 _ co I U to c _ _ is. C L • -X 2 o co a TJ •c _ a ~i w a •-'JE ii 2 CO cj CO & II t o II 2 55 _ co I CJ CO c T3 C - 3 O X ) L. C L c a to — n Vi + tu cj— C L H CO A C L " CJ X » • CJ — cj Cj-" l • -4 a a.2 C L co a 55 2 J co c a i . S" a 2 £ a tu ° 2 a — " C w •g-i s w cu co CO. *- CU CO L. „ T a 55 II CO I u . S s a a -. . u CJ V ,eO cj a. --s s a a 4 a " o e -3 C L co O w tu 2 I' co T a 55 II CO I CJ t o 3 a a IN 2 c "5. • + , O O u II C L 4 a C L to II g e e . 3 tu tu • co co •—' .5 .£ '^33 II _ C N H •* •* o ;> II •e CJ II a CO S i . C L > ; .+ s o tT -3 tU w to C • -c w a — to to O . E , n CO Jl ' tu .—5 0 t ; 1 tu i to O e C c r "co i o " O II II . CO •3-3-c < tu co 3 ? 2 f -'I c c tu o to w . E o n V X ) U _f a CL "* C L CO II a 55 2 J to 3 tu W W W Q _ l _ ' j«: V —i j* II A CL II V ^ to .+& j Q a c • CO . 3 C l u ap. J5 o A II oo . -CJ X ) ra O to A II ., 'I V 3 — <U C co c f- tt. o 73 73 4 . UJ tLl _ —? 2" . 2 V V £ tu tu C 3 O O + + + + v S 3 "T II II •2-,— C N V Vi C o + + 3 3 • oo x> o 3 o-tu CO £ » a o •c — (1) •—. eBoi tu i L. 1 a a eBoi a CL •c a 2 lac C L 2 'LZ 2 CO lac C L CO CO cu CO a rep CO a 1 a 2 rep II 2 ?c II 2 55 II a 55 II a 55 j t o j CO j 3 CO 3 CJ CO 3 C L a a C L — a C L tu X o C L . . >^ cu ^12 • ° tu II to a 55 2 1 t o c a-g. cu "a > V CO | stal del dell L» CL X °S. _+ CO CU ll y : (dell :Calc 5 ll •u A •= CO CO 3 < t L f ' II C— C L X CU _>> a i C L 2 C L C L co C L a to a a'g. : C L Jc< V «« ' tu 3 o + + 3 a P I t o oo i> X i "co O 3 — o-o tu, co 4 a tu C L 2 a n. ts -* * co u II S" II to .+ II ra I a a fe. CJ CL • ' x a CJ co £ t o cj ° C L 5 t o '£ u » CO, t- CU X . ' II ca T a 55 II co I A A II " 5 -3 H tt. cr c r II II VI VI tu tu c c o o + + + + O O II II Appendix B. Proof Script for STARI 166 o o. >. i j= • I ! > > i X l . c n E. . A " II II ! II V I o ; to SS O -3 _ _ rg".E -a -a xt A E E < < c o II 2 a.2 CL CA 2 55 2 co 4 s Q . 2 C L co « 0 II co a co eg J •c c ITS. CJ c o r + cu + CO ) —: > + — O S. c II V Vi O < c < • CU c o 2 *•» CU c o '• A o ""a eo > f-v II CU c 2 • C io _ . — CU •-=> II C N CJ a. o o. J= I >. X l U cu a. >ls a.2 C L co II eo CO . ? o + JL CO CJ T e c ltd =i cu _ CO CO C 3 _ CL + CU c o + + — ri. S o S C a v tu (• ) N to w C CJ II T B A J £ A .CO-, II c 4 11 cu — II V VI O •a c < 3 A •— .£ 3 II > CJ SS II > J - A II cn E o Z •o c < stal cu £• ... "E. CO I 2 C L . t o >\ Vi CO 2 - ° CJ II CO ll IS CU co 2 co to _J 2 1 t o c co c t j pri A II II -—-c II V VI •o2 TJ 2 c " < 7 c o £. II -A r o i < c t. cu tu (O t o c c ZO 1 §• - LU CJ >; s> 0.2 C L t o eo cu II to 2 co C L I 4 2 o. 2 ca eu II to 2 co O II c o 2 J — A Jl C N TJ 1 * TJ C << 3 • 2 g « O ; > << f t O ° i || II 3 A A -,s§ CL CL CO II tu cs to •E 5 - -o C L •o . —' u tu i_T> 2 . 2 II to 2 co CL + c + -> \ > . CO ' 3 II CT tu ^ 3 C 3 C > 1 UJ- c i S i ~ 'h o 'i O A S 2 II X ss II 11 V _~ 3 O + + tu 3 9 A -S'^  ii 2 <r> E A II c II V VI o „ TJ 3 _ i < C L co „ U ^? CU c to ° - -2 II § E"S4 ._ cu CU cj X? eo C L 2 o ta 0 "2 co C « r E —i C L —i I •c CL c n E A II II II V VI o — TJ ,."5 tu —• - 1 eo c U . A 2 II crcn ? A E ll - ll o en 5 E CO CJ' .2 + + tu c o II av\ H 4 9 C L ! C L • O a W II II u 3 2 C co CJ U A II II 3 C P — 2 >< 2 eo C O •n C L c n u a. 4s a. 2 A II II 1= II V c *"» £ II 5 ' o VI TJ 3 C o cj < XT' X co S 2- a. I x XT' 1 CLCN CL t o eo >-» A SS K II T II II A II ^ II A 'o \\ v> o "s "g, II II O A V I to O O S S II II II — oi L. CO CO tLL > . X CO co tU CJ CJ CU CU I CO • * ' $> o, 2 Q . co eo u II a 2 co Appendix B. Proof Script for STARI 167 C/i ra (A i c CL 1.2 II — - ' CO "T 'in .X, «U t?-5 3 o C L tate; Q 1 tate; to u by to o re to j psilj-tate = ts CO J 3 tri (SJ c pri let pri Q 55 + g ^ o c > O ' O + — II V V -TJ C L 3 55 < A II II X I o + — 3 < § "S UJ 2 « N S" X L. II II ra JD X l ra re t o u tu Ca! 3 O + + ica T J tu Cu .2 | _>> 2 nstan C L 3 nstan 2 C L t o nstan to re u — o II re II re u c o 2 CO s J re J t o c ts 3 let pn let ud o + + 2 "tu Q + '—\ O e? II 1j 'tu' V c c o + £ + + T J O L 7 3 < t o C L t o Iu 3 CL . . 55 o A .11 II II A II •-=> 55 II w C L X tu tu LL. "re 3 3 " 55 UJ 55 II tu V II ° A - 1 T J 55 f t II II A V , T J C A II II < N t o O O + + + + X ) w ^ 2 o o i , Z Z •- U tu <u t o w T S ra i£ .2 _ T J ra « uT 2 a i 2 x^  C L C L I II II co 2 co t o m — C L 3 x O " " C C L " C C L •c C L J£ oo ,ra = LL. X I _ o 3 " ir39 U A 55 II •-> II II ^ <ycj — . ~ II tU (aO o oT 3 ^ ? 3 J . ? g + O '§* o Z n II T; tO C L X t o tU Cu I 2 3 .+ x> 2 C L 2 C L to II re 2 CO 2 c" • — I u . C L tu x 3 tu ? A -k II 7> II 3 u. O C L + X + 2. 3 — CLI> X — tu re — 3 C C P — tu tu I . . <u tu 2 — m "H. S.2 tu C L to L. re u 11 II re x 2 .J CU to c S 2 a. 55 C L 1 7 o ^ t ^  •og 2 ? u + Q O ra - + ; S 2 -it T ca C L • •S.II g Cu552 I cu I C L + t o ca + C L C L C L A II Appendix B. Proof Script for STARI B.3 Proof Script for the Receiver Transition Appendix B. Proof Script for STARI 169 A X ) II A X X ) X i v ^ v xT CO eo W A A w o O 2 « « z -5 - ll n u n n II £ TJ 7j x a t r o-CO 3 O O s IT 1 E o J . J II 3 II V T J 3 < II A vt II X l Q + C L II "5 II C L V . cu © _ T J cu O II _ J o _ 3J .~3^  2 A jo v v O CO o — O * * c . c c a c o O ;>-. x —< tN cn T t vt vo u a W T J * c o . 1 „ C L C L + ? o -" 2 ft J w a. II cu ^ " c g" £ CJ — N — •a Ti + co 2 ^ £ = y || — Vt O • A : i 2 S • wm wm CU I CL.O N • 1 c n J 3 of II U A S .11 II II II II II II CU CU CJ CJ J 3 II "8 " o U <J w -> CJ >; n ;- v ci ~ 3?~ Zi -+l § g + w C ~ v S i ? cj" IJ £ cj ^ = S U N 3 O i2 IM = CO _ —' w — 2 co — • " ' — SS • T J C . < + CU CO CO w k. I— CO o to U. . 3 II T J .2 J 3 E ° CO CO > I . 1 3 1) 5. 3" C cu o O I w it? § I -> ^. H T J + c O + + X I X l * - eo ~ E ' II SS 60 V 3 C 3 + £ C L + »9 c + >; - n S A A A < 00 c U TJ • X ) CO ~ -3-3 I =i 3 g i J . J X i c n c n c n X X X C C c co .2 o X ) -co co. 'i R So o 2 <u CO co § § O O CU O :- ! - .=*= c n "ii ~ "ii _ — . J * i _ c CJ g CL= Qj •c ~ II .• II JS r 2 t t c . > cu 2 8 31-a! 2 "cj TJ jm ^ _ i co 11 E -T i j»! u v •= II 02 II 'C co t u t u t u t u t u t u c u t U c u c u t u t u t u t u t u t u o || o >• ~~ tu 3 E Appendix B. Proof Script for STARI 170 o c o + + u 55 c 55 0 tu w + tu tJl'f" § 1 i ^ >* tu i ? x + 55 c tu ^ tu 7 2 vi + ' t U w T3 A II II X l X I 3 X I a. + 3 II V \a. II :» w 55 ^ If 'tu 55 o 3 -5-Z 9 s 5 5 ± + 55 £ + o + + ? II ' Vi 11 r 9 Vi > * e tu 3 c tu to II 3 o + ^ + 3 o c c tu tu o . + + •S 3 >< O o tu £ f § 3 II § 2 t + £ o o > 3 -2 waT 11 v ii. w A II II t>. tu 1 o ' J X i 3 X i < 3 o + + II Vi X X o + c tu ra ^ 3 ^ m A U l || eu 3 o + + a. + tu 3 o + > tu ^ 1 C ra.E 3 3 A : i i! 3 ~ o _ J c T3 3 < E c o u. 11 11 V c - o 3 LL, T3 3 < - S 1 XJ ~ tU to •5 - J 1  T3 3 tU CL, a. a. II V ^ tu I" o c S o + c c + X tu tu 4. 3 to to II tU u_ 3 —. u.1 ° J ~ ^ 3 3 tu . 3 : O 1 + • + . 3 - II - Vi a 2 5 ° ra to > I 2 + 3 p + 55 c 0 tu P 3 *- nt X) E + o w 3 + > o + w I w > o Z p + + 3 11 cr** a — w ^ < i > o Z o + + 3 11 X cr X i X i 3 X i Appendix B. Proof Script for STARI 171 II V Vt tu to to +« s — • r j ] CO •3 _ to «^ £ .2 eo .= o CO + U + CJ 2 £ c i t If + C J C o + ^ + CJ . — £ 2 3 II f~ 2 ._ § oo T> ! + A \&\\ II v> XT' ' Q . + CO = II II cj 2 j*: co CO W •c CL ' I CL 4 a "5.2 CL co CO 4 ) II CO 2 55 2 J CO C 21. II «9 _ CL CJ u ! i < i -=5 cy ffi J-T; c j P" • a> c J 2 S-gt -«£< § 2 ^ CO oo 11 CJ CJ U 00 CO — CU ^ CL CO II a. x c j w II c j 2 » CO co — , u «r c j J2 CO . « CJ tt. l^iT £ 2 £ II _ y ?5 —> £-.2 tu II S 3 II B o V £ + ^  - £< JD. 3 C L W write tate; 4 ot (ta tate; 1 >> w "5. 2 CO 2 ap Z CO CJ CL CO „ II to n CO II 2 55 2 55 2 to j CO J 2 CO c CO c COa ud let pn let cu CO . tt. 3 CJ to 2 re to 2 2 55 j _c ' E CL CO CO TJ II XI 1 1 B 2 CO CO — 2 — o cu 3 o + .-c + O 3 L. ' CJ . _ N co - ts £ •3 « + n „ t v. TJ o\E | S i >4 3 II . . « "H. 2 "3 2 2 O. co 2 ^ i _ , CO CJ to 55 j 3 •c CL tu J = O CL > . J 3 I >> Xl _cj CO u 2 to CJ T! tu 4 2 o. 2 ~ , co 2 to 2 55 2 J to 3 a i . CO II + 3 CL + 3 A CL + 3 II A 3 CP tu + o 3 + V 3-0 o o o e i/! ifl o .E .E + ^ + w w TJ J D E — c TJ 3 < TJ 3 < CL X E _2 u CM. O O _ L» I ° -—• 3 i s co II < " a C II CO - cu - J o CA eo " a u J= a E t> CO CO to I • 0 . eo CL. 4 i - : CL CJ, " 3 ^ O 4 J . _ l I re co II a v. a XI o CL 3 X O CU ••= I re J * oo co — — XI a oo o w eo a • _ . U M II I -I - I - CO CO O + + CU 3 O + + o + eo c < i) co eo <° to u Z II to a 55 CO I ? a + 2 £ ~' uJio c re -. JC .2 .2 •§ I 1 1 < iS" CL. I tu tu to >> £ 3 X Q. ° O i . Hit . .V II t u t u p t u •c CL ""l '~ | + CO — w = II V tu '" 2 J*L co CO W 2 2 CO CO CO CJ T CL 3 _o to oo H cj tu c j 00 CO w CL S tu •£ L- - . II o. < X = > L. m CL i o >-L. - J C O . x C L <s< a -•c ? u t~ M ' — ' CM .E--I £ CJ . . » - r a -^^  tu ^ II a CN 1 1 2 x 2 J CJ co cz S 2 i . a to TJ CJ 00 3 x 2 CJ CO cu II to 2 55 2 J "> 3 S 'Li Appendix B. Proof Script for STARI 172 T J u CL Cu J£ t Cu. ra U. C P II v\^ S"« w U. o ra Z 3 -o uT 3 ^ < c 1 £ c V V • 2 ra V c; C 3 Vi o w ^ if 2 LS" 2 o o ? a £ ^ S S Z ra tS - — — ™ t o tu II t o 2 co o a. >, j= l >. xi 2 _o a "ra i 2 c l ra a. u ra •5 ^ tu ~~ £ 2 ->!»}«? "a. o. 2 o. Cu t o ra ra tu II II i i 2 co ra ra | « ifl c | | 'I, >> II A II II '5. + Cu + + 3 Cu + tu s o Cu + c o + + X l t. 5 5 tu tu t o c 3 O OS tu ra ii s -= ra 2 II o T J c ™ 3 3 e tu tu g S > , 2 Cu X — ;> :> u > >\ A II II , X l a o U •$ 2 M ra '—' .2 A •5 M tu . II a. <N I ra co >i E E .-2 • C L E E 2 2 ^ Cu tu tu ra to ra — t o tu II t o « r7 Cu E u "a. E «3 O CN O C L eu I _ ra o • + £? C L — W ra O O - 1 A" C < II :*> •a o X l I f ? S > — C ra o §• J o i i f § -rr II 12 £ o > + < ts ra ra r o ll A o Z >» L. 8 1 X 11 11 — 11 CP "P U l - c 3 v «3 v I 2 tu ra rz N ^ to C L C L + + 3 c Cu 3 ra + £ £ + II II >. 2 tu . t o 11 - .E v + ^ 3 c e 2 >; >; pi r i T J C L C L + + cu cu 3 3 O O e c u w • • = = 3 0 eo ra + 0 + + — 3 JJ co ' c o 0 1 ra + o 55 T J eu cu 2 1 + -£ & 8 °° 3 Cu C L tu 3 ^ 3 O 3 O + ._ + + t o + £ £•£ c + "> u ^ t o . — ' c u •= w + CP -«i 1 C u , tU t o . — . t o 3 3 w w w C O . ra •: 3 CP i! IA Q " C l X l "5 frss'Ts; A-^ A 11 2 11 11 2 11 ( N ll H 2 A V 2 3 3 ^ ra eo II II II — t N n CO CO CO >> >^ t o t o t o i i x> 11 9r t o T J 3 < Cu + •B.g -+ 2 5 5 + tU 3 3 — 2 " g = !=.£-« ' < >. o u. Z to 3 3 S-< < « C CM 2 2 2 CO tO tO — r - Tt CO CO CO O O O C L C L C L > > > > > > X X X — I I I + >. >^  3 X i X X I C L C L + + co !~! O . + " 8 U c 2 2 2 ^7 3 5 S + T J T J T J C tU tU tU CO CO u u z. — ra >» 2 2 ra t o CU / - S . / - i . + + 3 K 2 co •c C L II II A V n 3 C L " 2 C L ra i 2 • 3 2 ra t o a. a. 1 1 11 11 tu cu C L + + 3 II c cu • -t o 2 . 3 t o A co 11 'it; 11 u > •£ o _ C L > . -i'-lf C 55 = '5 ? J I + ^ £ c A II O <£ 11 — .E ^ ra C 5 5 3 ^ 3 t y w II UJ A V ^ || « = II o > T J ^ c ^ "o II A 3 tu 3 o + + 3 > = w tu a. + UJ ^ g 3 " £ o cu a T J 3 < Appendix B. Proof Script for STARI 173 B a t o co t o to — -t CO CO 'tO *CO cu cu X j X j o o a. a. >> ^ 1 >. >, £ • £ • CO a. a. i i CL C L CL C L eo eo II II B B £0 CO to to co zi zi > < eu ? ? <S vt cu Q eo eo u u 2 B to to .22 2 «j eo tu -X CO O t« a. u >>•£ J °-X I JZ\ II u u oo CO II cu O 3 + II o + + c T J c < o II A Vi U -S eo s ...a < > » T J O II A Vi eo eu « Ii. .3 t o _ eo _ ca U-s _ e • uTS -1 + l l = s + ** II & c.r>vi^ to 0 0 II V V) "tu cu T J 3 < CU JJ S Jr r v v >i cr o o C L U CU S C L _ N N CO £ , w w II o o ° w tt Z Z ll . ? A A II u || o >> . 5 2 o t o Z\ tu CO •5 « o — S o . I O . eo I tu X l o , eo C L ^ ^ o j cu t u T J tu tu .2 £ 1^ 11 II II B B t o B CO CO <u u C L >la "E.2 C L co co w II t o B 55 3 J t o = i i C L K tu si ° = A O tu UJ §>.' } j !fc _o • la 1 ca eo 0 0 . o — X l c o "o cu u oo eo T J °"l >i B a . 2 C L co • co w II t o tu 2 I co c O + + + c o < A 8 co « a co o — *-5; a a. E v o + + c o cu cu 03 n i t _ " — — cu C L Q C L " x . ' i t o A I 3 • II fN " _ _ CU t n T 3 w w •g 0 . . I CL _ C L — . 55 CO tu £ w 3 tU fc c _ N C L ( — I o to A O " — . £ U "cU I? ! « UJ o — > + a it 2 A < . II . eo C L CO u u U. x: co — , n to n IL 3 — CT co c u §• .2 S U J to u" — .2? § is + II o o + = u C ^ II oo '— tu Vi w II C ,—.co ? L " + = 2 4? r r £ e O O w A OJ tu ra •5 tS o — a e & 2 —- co CO ' " ' = a O CQ ± U = t o CO 11 II II a a t o t o co co C L >la "E. 2 C L to eo cu II a 55 cu cu a i >-c < ? 3 — O cu tU X —j sg: x< /tu — U cu — X l c o "o tu 1 u oo CO w , a " II C L >; a o. 2 CO Ew w | ^ CO | a i CO CO CO I I I X ) X I X I ~ — ^ c o co c o - —i CO CO CO — to tu tu cu " x : •£ -5 -5 o S S 9 U ii S; S; g; a i i 0 . i CL CL „ B — " " A II II C O J c •c C L C L + + c ,—' A C L — « l cu i2 CO — ._ c eu C L - ^ Q si J + II C L A = = II -11 — + tl A + = 2 2 >; S.Q - t s r i ^ Q. + CL + A 3 C L + CU _ «U — 3 — O 3 t O 3 + ~-+ 2 3 — w tU • B & O . w ^ + + " 55 N TJ a < C L + T J i? o + _ + 55 3 + 2 cu to 3 CL O i - : J 8* CL I . ^ CL C L cu cu 3 „ O 3 + >,+• >• 3 2 >, Ifl L « <N ~ A CO >» ^ - "« z CN TJ eo LL 2 * &S. II II — fN co t o >^  >> CO CO u T 2 M 1/1 VI Appendix B. Proof Script for STARI 174 , « CB tt. Q . ttTiT a«XJl " 5 5 Ta 2 2 •2 + + •S£ = « A crt -"ca ^ 1 2 ttTc C L J5 ca u l l I 3 > . "5. II c t V CB Vi — "co ca IS" 11 •* V V Vi © A co ro .=! II cu cu 2- o § g I t + + >> + + + cl.-* J * 3 • < o « L. •c g-o a ts « co 0 0 1 1 ~ CU U 0 0 I cu •= ~ II — ' cu CO L . II — 03 < x ^ l 9"°-C L _ £ • " l C L C L S C L J x x 2 x C CU CU CO CU a. 2 a a a a ^  " = X L. ~ ~ £ cu . -l to . | S cu * 3 -—- cj CO II *• a C N 1 1 3 x 2 J cu co c 111 o S • 3 O v g S J — CU A a ryi "S Io 3 , . £ • 5 ^ 2 • £ > ^ C L - w , 2 - 2 T J 3 ~ t 3 S 2 - < 75 4-A as CB SS. ii a ta to cu T J 3 v T P 8 a . 1 « CO CO — "0-o o C L C L >> "l " l XI XI a a "ea to u u a a ta ta CJ CJ C L O . x>x> 2 C L C L 2 C L C L co ea ca w II II 03 £ 52 t?5 w tyi g a a EL X o C L J = I >> XI U cu a. = 4 2 ca c r ttl ce — T3 C L ca •s + '-> -3 ™ C L - B O a C L CO — SS + JS CO Sm CU .1 — CJ w cj - a » 2 TJ — TJ V — V o w v — I " O co w >1 A 53 SS M g — . - . N A N C L C L I O " I C L SS l - 5r •= u.' co ss w a w II CU I *0 r i 0 a CO S 5 a c 2 T J < to 2 ^ ts 0. 2 t • i : * -S v .2 CO " , , CO w O cu cu - CJ x> £ C L N . . P 0 O A •a 1 a C L CS C L C L UJ X> CO "cj T J * C N '5. 2 — 1 >. 2 C L to C L 2 + CO ta CO II tyj bd 2 —1 E ta _ c _C0 CO " C C L a a. 1 CJ CO ' l C L C L ? £ "u II 3 V o vi C5'TJ w 3 II < V s-, Vi I? O JL £. ° is + _ + ca j.< 3 SS o* w tt) II § § £ + i 2 « v § vi SS ,co CO tt. 3 — O " ca fjj 5-S5 UJ S5 V —.to "cu A s « L: s co o 3 + c r + U 3 JHC CO 2^  11 o Li-ra I t o £ + i s = 1 ? < o Zi _ z 3 ^ 5 5 +11 < c o II ^ 3 1  o v, + tL> w O A _ 2 H i t + 11 ttl c J5 cj a 2 2 CO cu to i>5 J 3 •c C L V >-< * UJ. a ^ • r C L 8 ^ ^ XI E Q 2 CJ cu u 0 0 C L II Q. C cu "I XI 9 cu C N 1 1 x 2 CJ co II V) SS C L - , SS II L J CU 2 ^ 2 1/1 CJ 3 co _ C O < _ 3 to 0 0 11 Tj cu o 0 0 CO — ' •5. s 2 § II C L X U tu >-< 13.M, S3>-1 3 C L Q . x a. S 2-~ " C N C L > x 9 cu SJ -CJ C L " S o . . >— CJ co II « CN " 2 x 2 J CJ CO c o -C L TJ II A I >> X i . CO , CJ ' T J U T J eo >> , v J - £ C L ™ W ~ < T J " l l U TJ II A 2" 0 0 eo ea cu eo CJ co ~ T J 1 « ^ i - s E s - u i a § a I i s eo I I a o XI c-u o 8.S 8. H co c Appendix B. Proof Script for STARI 175 A II II c x tu —1 . < O U J I >• —J Q. CL < T J tu 00 c x 2 o cs —' eu II cs 2 55 C T J O C : < - + n cu S V 3 T c ** v> - a cs 3 c r LU 2 I u x > T 3 Cu J . Cu ca tu T J Jt:' tu ,l< 1? — cs Cu ? S ' O Cu >< Cu . cs x r T I w x > >. 7£. • ' a . I cs c cs 25 c r f | tu O + S II v ** — tu I f s , II Vi • tu c o + + c II Vi tu tu CA T J . V u . ° & + .± -a + I c " " . • g < I * * - J t U c ? + II Vi 55 T J • C < C o + + CU e o . + cu + J 2 - , . cs • LL, 8 s ™ 7= 2 § 2 tf-A 55 c II tu o ^ O eg ^> + 0 0 J 2 + = 1 3 3 X UL W 2 - ll S cs «e eo CT cu tn 8 + p I II ty» II -** . tu "tu ; CA 3 > I — w ^ es i i cs CA o II I 3 2 • a I 2 cr U J U J i i ts 2 2 a 2 U L •§ J -If x > * * 2 < 5 5 a te_UJ s >-L . _1 CuCL x a . « S — CA tU Cu X a.-•c _ ° CA *TS i E x i a II II C N 1 1 te 2 Cu -tj x 2 cu --.SP x co 2 «3 tu o eo cs ^ ll , < l 25 O* ; S >> • w. J C u C L X Q , : < £ < i 2 ^ ! • c Cu 1» X 5 cu tu _ CA -r~ I S x i S tu II C N u, _ Cu — tu Xn Cu X tu — o J c cs w 0 0 11 s~ 0 0 9 -1 < •t 1 « CA CU O ' P C Q cu CJ CO U J L . taj E a j wlu "tu a > 4 > a> °-~l 'S «> tS ~ 2 *' * S CA II U U f N 1 1 2 x 2 J ll i n C 2 2 t l tu + cr cr o tu .s = A A I  I  E -1 • S UJ"UT c ? J 3 9 2 m . !! "» „ A A IS 2 ^ " _ . 3 5 ? ? 2 2 o § w 3 . i .1 S ^ 1 CO S I 1 V >i2 2 " a . >• >>2 2 Cu w i i eo 2 « i i ^ ' ts 11 11 o* 2 JJ to CA tA — t* o o O. Cu >. >. x x I I >. >. X X U U T3 -O CJ cu u. u . CL 0. 1 1 ;r 2 cu cu 2 CU Cu CA O CO cu II 2 vi _c Cu X l p 1 — * u 1 c o B t 1^ 2 2 c: E X I p 2 « o eo '-' CA U. I Cu i f >. x 2 o . u , 2 CU ^  CA 1 0 CA CU 11 to 2 co tu •-2 £C rt -y 11 " I -1 ° i I CA CA tw CU* CU1 c < cu <" -S CA CO 51 II CO 2 55 S I • 3 —- CO _ °T — uj 2 — co 55 U tu If QJ 2 V C L 11 \Vi •5. Jj &f £• c f < IS* co :—•, II CA C T •3 to U . — CO CU §•§ — + - c cu' £ 1  P VI + — . + eu £§ VI + CO U. UJ J I ? t J 3 5f w •O T 3 3 3 < < C? "3 V V • ~ l . CA t A > tt. •5—11 I™ § UJ 5 J + ff 2 ? u S 3 tu 2 ^ CA CA w — tu eo . U. 2 Cu X CU • tu 55 •< 2 c ^ = « o 5 5 O — + te ttJ « J i CuO. 0 0 * " x C L — '—. tu 2^ 1^ SJ CQ i S ? eu <2 «-A -c Cu w I > x CA S tU — x ; CA cu C eu " l | X ) 5 ^ cu x 2 CU CA "eu cj tu u cs •5. cu Cu X cu CA eo — tt. .2 fi 3 O 0 0 + JD e o ^ Z H eo** ^ " " l — XZ M o C Q >• • < I— f T l s- 1 u >-u. _ J C u C L X 0 -« < 2 -•c ct 5 tu Cu Cu X tu X J ' S w tU II ^ Cu ^5 cu tS — X o C Q u C L tu c . . o 25 w X : 11 i-S ! § £ ; + o ?-±| CA CU Cu •c II Appendix B. Proof Script for STARI 1 7 6 s o + + c tt. to c r — £ T -s5 £s u. tu CO _ o Zi x5 it Q. w CO* " x>-3 CL = C L < CO c o + + c ! II 1 <y» A ! !¥ -5-? x> o f S • - i f f ? »s i •g 9 - | *AZ + . tO ate; < CU CO ate; 1 Cu 1/3 CO Cu CJ U U CO £ 3 II CO c II 55 V 2 J CO j °""| CO c CO c to pri pri CO let ? + c II 3 S-S: - « < '3 'C °" co 2 .2--I tu CJ t- tu C N "I II C L « 2 CU co CO < few. U c — o I I CO w W) || 2 ^ o ca oo o CO + S3 8*~ CQ CU II c-CL. X CU C L j 2 <2 'I -5 cu u _ C L " ~ | •C o CO-I 'I J , CN " • C L x 2 CU co 0 0 1 00 c JS 2 CU CO —' tu II t o 2 55 2 i to c I'D. -o l _> . C L C L I >» "a. C L tu _ c XJ ? l II C V Vi -o c = £ l2" II C L . 2 — I eo 4? C L * -Q . CO « .2 w -a £.£ 4 4 Ti C L .. I t = II II tu " i 2 ' Vi m -f | o + + 3 + w £ II V> v> CO Zi I u -* 3 to *! 3 < ?! ? £ •± n — o 3 + Z + II v> o Z T3 3 < 17 s o + + II V) o + A II II IT 5 H 3 O cr ttl A Zi !! 3 A 'I o ll + II tu to £ = w tt. ~r II — Ji v> CO *"» . _ 3 ^ I 3 * tU n Zi + 3 - ± ? ^ „ „ „ ,C0 II ;£ u. ^.tt.«rt >S CO >< CO "~| 2. 2.-* ff ffS CO CU cu o t o co to co tU •c C L + 3 II Vt _ 0 0 H «J CU U 00 CO tu •£ II a. 3 CO A II II "tu E t-cr ttl 3 cu .2 S a f -x> 2 t u ]\ • £ < o ZiO p o .i. O I m ^ tU ^ o >• C L Q . x a. « < 2 -3 I eo co II a A s 2 s >. .2- I t— tu x,1 S ^ cu CN 1 1 g-l cu to t j t u >< CU •a -5 = •< CO cu 2 2 C L II - V . A 2 tu 2 4 / 1 '—' CO u -s tt. 3 O ? Z B T •is s s i ~ cr ttl ^ —1 ll <u ^ . >- .a [— to 3 1 co ttl - X 1 C L O . X 0 . tu 5 I CQ S - 2 -- C L 4 >>J eo « ; 2 C Q t/ tu V  3 2 CO o. ll <u co . j -X . 1 Z w CU II 3 •c C L CN I' "Io x x 2 W CU CU CO t u t u t u X o C L > , X I >> X I CO cu T3 CO ^ + , CO - i . — _ ^ CO i - — v j I ^ 3 'Is -a. I ^ > C L C L co £ 5 ° 4 < -C L 2. N 2 ff3S cu "tu. co T 3 "co v tt. -— o : m L. •n C L 3 CT ttl cT n _ V — Vi U ^ 2 ^ t o " O O 3 =5 < CU u. C L I I >. l« C L H CO Vi — "tu 3 § 4 ^ « L : o . £ 2 2 L . C L 1— co co A eo ZZ. t o tu II t o X i o 00 • -cS E r_ o I I 2 II _ L. CO LJ C L S — tu £ I I -| CO CO I CL > . X •5- u i a J Appendix B. Proof Script for STARI 177 eo U. a. x u P S v > ~ >•» tu " C 7 3 2 => t a- + 2 3 o i i cu eu § § A H tu A c <y> o ^ + tu + £ c P U : tu u •3 >; SJ S i u7 X i eo 55 tu 25 5-; eo 55 K "3 o o o AI tu —. 3 — ?? + p ~ + + eo ~ E S o Z ll •a <? . 3 ? v + o tu o u7 I 6 0 II 55 S ^ ii St tu tie w £ ^ to 0 tu X 1 = ^ ^ o . ? s 1 O S A Z I  A II II -. tu CO •£ « o _ iu'x a. *5* S—' Q> = 2O CO ± u + eu S eo o .2 Cu 1^ I S II II 2 2 ca to to lo o . 2 Q . CA ca „ II eo 2 53 tu tU — s — 6 0 U w X I c p tu tu j o . « C L co x 2 _' 2 2 •c o. to co to — — tO CO 8.S.S . . 3 8.1.S f x ^ S • = , 1 1 2 ^ x ^ S oo V O t t s ; ^ to to co CO CO tO — co tu eu cu _o £ X j JS X a >>Jc I I I Cu I C L + + c to . s C L _ CA — 3 S8.8L8. n i s A II II Vi c •c C L C L + C tu A 3 ; II S.A S 2 1 1 -" ? s l 3 S "s; " 2 >; S.Q — o i c i CL + C L + C tu + 3 A C L + O + + O + + cu 3 o £ . 55 + ^ " c u + 2 = S 2 o w >, + r i ; + tu ^ S CO || S 3 _A 3 > , = f 5 5 2 u5.ll II ll — C N co to a-. >, CO CO —: tu All Tru All )sk_ AL CO to 3 tu AL 1 state) no U0+ QU 1 state) tate CL LU 1 + c t-C L UJ i 3 CA 1— X CJ >• igat X CU >• _o a. x l — igat II -j CO CU O . Q . C L C U oo , , X Cu getol one) X Cu (Be < getol one) (Be < tob ITY write CN CL X tu CA _c + + "~i JX write C N 4_ CL X cu hs (ge UALI o "Q CO CU t- t- a o ~ tta. UJ rip '~l 2 CQ OJ rip •~l tu 3 "cu 1 > CO plac tS plac PPL 1 X I? plac $ plac PPL II cu II tu LH cu L. < C N II II C N II II II k. 2 L— tu La cu C L ra C L D . 2 C L X X X X eo tu CO tu cu to cu CO 2 2 2 2 2 2 2 cr, UJ P + + Cu I _3 ; X i cT — i - , ~ w JI C L ^ OJ O . . E ; C L + a. + + + 3 ^ 2 2 2 CO co co eu 2 Vi J 3 •c C L u_ ci" A II II 'a . + CL + A 3 CO 3 P + + 3 eu , 3 O CL + CL + cu CO C "2 C N "eo — S eo II W - < E C N l2 E | S >,2 CL X I W > O 3 eu 3 O A II II a X . eo o U a> 2 oo CO — ' 2 A •5 ll K . ll ^ m ^ I 2 w i "a. E E a 2 OH CJ QJ CO (A Cu 8."= o : C L " P C N CO E E X 3-— 2 O C L co 3 _+ .+ 2 _ -a • £ • — = co •eC O CL ^ II II 2 -g1 - o X tu tu Appendix B. Proof Script for STARI 178 tu s V VI 3 Zi ' Q . o tu l x - u A CO tU • -= S O 5 P CO 'E . 2 tu I ff-Q £ U tu a. i O . X ¥ 2 < >-5 P U J V o A —' II _J P _ - £ § 2 S CL I u J < + D •2 w c s i >c •c N s; , > fc w A tu tu x 2 L - CJ — " t" II tu tu CU • 3 „ z P C L co c t V 2 p 2 cu J2 £ >>Si co a. 2. e\ CT II 2 to do J 3 •n C L © A CO " p •o * CN 5 U u cu a. i >> CL CL co + c , I I V Vi LL, 3 *a rj_T c » L _ ™ „ e c u + tu 'JJ' tu 3 s ? L S + x> v C L * * C L ^ CO CU W B o "5. C L ° - + 1 = I S I? § ? + + -X 3 f | < X | "P II ?~ s i w o _ + a + 2. 3 j* ^ V S-.VI II 2 "tu" I P 3 ± CO + ~u. + T3 - 3 £ = 3 ~ < CT O Zi^1 5- 3 2? •a 9 V t 2 3 ? iZi CO ll 73 *•» Q "tU w O A 2 II t II - l ff5 § 5 CO II E 2 _C0 «" II O V + Vi + M • _P Zi P P. co •c C L «2 LUC V < + 2 >-L . _ J ™ ° - C L i3 X Q . -« < o + p 3 _£ to _ oo l l 73 cu u oo co ^ 2 S ll CL X P CN ' = X p i— '— .2--I — p Cu ~ i E ' p . J + § C L " , S 5 p > U L J S S-gfc o 2 ^ • - CL co 00 8 I (2 2 u tu u 00 CO • P -E S cu p .— — .S-~l S P • -1 ^—-. t« ' II P CN " S n.2 oo O — £ a X CO cu £ to J u 1—• '-5 — tu o a. « J U x> tu C L ^ — a. & § : CO « . II 2 CO CA = C L O co CL + < f t CL 2 < § A •o . 2 ^ CO . — p Zi 3 CJ O S + n £ w II a. _I to B- « o + + 3 C*1 ^1 w w tN w cn TJ" CO CO >. >^  CO CO £ to L-l CN ^ to . 2 - ><. I •» _>> _• . Cl_ co C L CO J « -II CU >. O to Z T3 2 2 2 CO CO CO tU to 2 2 2 2 to to — "CO-CO CO • O O CL CL — 2 — — 2 o o " CO CO O u u CJ P — — CO to CO *" u y ; © •3 -6 « ~ ^ " i l 1 C L C L I C L C L CO CO £1 O CL CL . . CJ i ? 3 o I t o £ + II J V 2 I P o S t >< -a p 3 p ^ X "P I§ ° !! + A + % £ p ~ s i 3 ' K + C L T 7 3 3 2 -a CO 3 . . . 2 < >->-o U J CO P U . JC II A Vi co U. 3 _ p _ g c , + II + v> c CO _ ty5 U W CJ C L JU JH II II II J CJ CJ to to tO CO tS GJ tu P Z ll 00 >, " "8 tu CU 3 II w 3 II g £ — V V - ° I ™ *9 !l CLUJ U P C L p. N N II eo ^£ ? A A. II P II ° •?? i £ o — 2 £ & « « S i A p 2 O O It C O - ii s i £ £ z z II II 3 2 O eo ± U + P 3 to TD 2 P eo 1^ C L C L >i 2 II II 2 2 2 2 CO to u u v ^ p > 3 < ? 3 P U J la' e C L X < U p = 2 t£ p p I . So -29 ^ 2 n L . CL II to 2 co Cw Cw | ^ TO - S O . ^ © < A % 3 II to o — CO tu — Appendix B. Proof Script for STARI 179 LL, "a 3 uT II V S c =5 < a. '"i i >. •» D . II ra <y» X I o ra — 3 : «J 3 o cn a i i— ra c A II -Mai hed II _exp II o '™l J cj tA 1 C 1 tA tA _QJ C L _CU ju IA, L. I CL X a. u, tA c o O U -' — ' O " tu - l l « " ( j QJ — •—- -—s c _ CO '—» o c U g ? .2 o + ra + S eo T J C II X ) eu w « y > o 0. 'I I o |» J oo x> "~i ^ T C L tA a c _ | | V tu «e ra • 0- 55 I u >, s a. ? C L ± ra DM (/) -w ca C L ca ? + 11 C L X tu < a LD ^ x . 1 ' t— ! S" 1 tu > CQ C L X tu CQ 2 . £ L ~ | C L S 11 U-C L X tU X j . II <N La C L X tu T J tU 00 5b 5 .3 2 u o CQ X I X l 3 II s 1 £ 11 — X ) x. -CS I c •c C L > CU E ™ tu a 11 E cu „ •a* > ll x. 2-g 2 1 CA C S"g. LL tA + .E ra O S 11 ^ 3 ll 2 = 9. 2 >; — CS •a x ra T J - O -V I O w eu N. O J z : -a T J c 3 .< < T J II A -—. JX 00 cs tu . — T J tu JX T J , 3 O X La tu o cs cs v •ill c r N , ra UJ J — ,ts CS LL. L L ra "ra 3 3 ~ cr cr UJ UJ O V II 2 <••»•<*> ca y-s U u u CU 3 c « ¥ ? £ J + T2 -a I - _ * < < cs U. <u _ 3 CS O 3 + cr + m S cs u II o C L 55 55 , n w O I ) U L 1) w ' 3 3 — 3 O O RA o C L I T cr + 3 + + >iss ra *e <^  UJ A II II -— y tu cu II II cu C L 5 3 3 3 JZ7 O O O O te; 1 + + + C L te; + + + tA ra O 3 2. tA 2 A ra Q . ir-es ^ 2 11 ra II 2 t/5 de 2 ra j 1 ra _3 ' 0 . tA 2 C . 5 ; 2 2 2 •c a. V > -+ 55 a C L M - x I 55 2 >• V L J 3 8-8: 2 ^ •r C L 3 , 0 cs 00 l l CQ -tu tu u 00 ra H ta. C L X cu .5--I L . eu CA.| cu cs " g-I cu tS U-C L X cu JX — II >• tu ^ + 5 5 C C u m ^ x I 55 5 >-U u J x CL CA eu "3 - B i 3 o I es 00 I I eu cu u 00 2 ^ i « ? cu ra a. " cu • c La II L. C L L; tU . . « - r 2 1 •—- (U tA II « " w II •- 2 cs n ra x 2 „' 1) III c 2 2 o. ra tS" cu T J g V cu IM S J - S A cu 1 -3 i i i eu ^ tu CJ ^ - 1 cu TJ : cj a. "ra'S . r 2 ' ' cu 5 2 u T J V QJ — T J C L ' US 11 QJ CO «5 11 £ ^ -A a 2 2 u ra ts tA tS — "» o o C L C L X X 2 2 "ra ra U U 2 2 ra cs CJ u CL CL 1 1 ;r 2 C L C L 2 C L C L CA CS cs CU II II 2 2 co ra ra I CA tA C 2 2 E. Appendix B. Proof Script for STARI 180 tu X I — - H x> CJ CO 'bT, C L tu c o + « e s fi " tu CJ 2 IS >™ — t- • -c 5 a O - 3 eg — X i UJ J II II X) o -e C L -3 co I o to o CJ to CJ •3 CJ tu ti! = C L O T II 3, 3 V • >* cu w a. N C L II co A — Vi ~~ o C L ' ft II -•ail a. o S ' 2 S a. a Ll O U L L 0.7 N CJ eg co £ , w N -II a) to eo S to 2 O O C L C L >> >> ^ 1 X ) X I ca eo tu U U to tu tu S tu tu > t— L - r \ CL CL H J I J 3 > , X I CO — C L — C L C L C L C L > eo ca cu II II X> 2 2 •§ CO CQ I (/> t/i c 5 S'a. J * CO CU 3 O X I o Ltti CO Juts M 3 O . - CJ "o I . * 3 Jt« to S =*" II O _ L . 2 ii s-o .- « x> C to to = 00 ca cs is 2 B-8 I « -si E o eo jt< ^ tO L . I C L >-> X D . <°, C L J ca 3 O" UJ CN -J? tu A ta** c j — , — < C L _ £ 3 to X l o OO •= D — . X ) CJ eo a y 5 > X I X I 3 3 •c C L CJ • . — . stai ne) — ! o It CO tu •on CO •~i to to ' — SS 3 • >• _o CO 2 00 t o 3 S _ E p to t£  oi a i — :-i.S y to . . rW II C L — L . f ii 8* o „ -a J * C CO CO o oo >' tO L . JS I C L X I >•> X X l • 3 tu. ca X I X I CO + +^ "cj 3 O UJ o -3 X I - 3 < II X) C L + II V co "± ca co U c r co m £ e ^ i H A II II "o L. CJ s- «> & c ea © II Vi * ~ _> 3 • £ o tu x; — C L O C L - £ ca CJ /LC JO L i i eg s ts > — ts a X I X) 3 cu eo § ? 3 ^ 2 o ca w x i UJ J - S j 5 CJ >• te CJ II II JD I C L •s «. „ I x 2 w 1 5. S 3." SS L_ tu II N y 3 = H ' ca > . cu CO "ca LL. c r UJ •o 3 < ~ u 3 0 C cu to 3 . . Be j i 2- II 1 a eo ^ ^ CJ C""l CO •o CJ co tX x> i 5 C L C N C L to cu 3 ' O > >> to 3 cr UJ 2 >. X J § tu eo II II II II — <N r o Ti-to co to to tu tu tu tU tu X l X I 2 2 2 2 to CO to •>* tu tu X X o o C L C L > , X X I I >. X I X l JUM to co eo _ U U 0 0 tu CJ — — eo eo to o o " " l T3 X I f> 0- O. I I x> x> C L C L C L C L co co C L — — JSm II II 2 2 2 2 to CO CJ tj o C L >-> X I >. X I V o X I 3 < II A Vi p II CO 5 tg v cu cu f . J - " " " 3 •c C L C L + CJ t s s tu tu w f— k-n tu o — o N L a L w U O 11 ^ N cr N C 2 C w tu O tu — co c co I .E §•'5 UJ w SS tu II 1 A 2 i! A II II 0. tu I JC >? eo cu 3 " ~ N < "o — w 3 tU £ © 00 I« 2 - UJ S C L —, tu ~ i B £ ^ X I cu o O e» II ^ "5 3 CQ ? 8 + •5. cu i . N w SS A II II -Appendix B. Proof Script for STARI 181 * o S <£ co X> - s . a v c 0 ° + •'£• II 1 S A o . i '" l II V -A co '"I A . * II w II A A II A II II _ — i eo o ea | 3 _ tu CJ 0 0 g c o 2 - | CO  ra . 3 o ^ - O w - a II 0 . 0 . A CL E" co ca II CD g „ 2 C o l —. + c g c o ° w A V A V* v> v> • ~ l "*l *~l JX JX JX t o co eo • U 3 o + + c II V ^ + + A 1 ~ ? o • - A . i Z T J !! S t IIJ< II < A CO co t o o I I S J ^ S X J w V CA CA CA CA 2 tu 55 -o 55 X I cu ca P Cu I "a. o. 8. 8. a >, >> ra c i ^ iB > , CO W £ • _ I x> X i X i X i •c CL A II II a + 55 T J + l ^ > CO CA CA + > II tu — . co i + C JX -* — t o co >> A 3 CA 3 -si jic v ^ . • tO >>-to 5 5 a T J E C < V 3 A II II tu I L . — II O . Ii + > • a 3 < "I + 3 „ I >Lv t o >> _ a ^ CJ „•". — C o 2 > e < . X ) — co X ) II > '—-. CM JX II II > 3 c r cu c cu O 3 I o 2 i co CJ 3 _ o si v CU 3 ^ O 3 i ! H A V "eu "SJ ? ? co t. I J J ra U tu ra cj I" _.' ~i C L <" "=1.1 w -° _ .E BO — II 3 o S"^ *-, ci I _ «, u . I S £ 2 IT ° - ra 3 A QO =• A I _ < A 3 II ra II CO II a X II _ l o ra •E to let let ts ^ .= a X I ' X l eu ra X I X I ra •c C L 3 . O cu *x JC ra ra oo i s ra O 3- «> - UU 59 2 o A ^ I II U jx II CU co ^ H 'I '" l .y v> ^ 2 S" 3 o 8: ? $ . cu C L J C ra iz.' II o ra CO 3 O + + CU 3 0 1 £ ~t B JX CO CU tU ra — 3 5 O - J CO = < s Ca •If a _ x UJ J= O I co CO — I i 5 tu O >• Jr I -29J J§ « Cu Tu Q. S Cu <u -E <• II L . CL X tu tu . tu II £ s-S ra J t o c > 55 _t"~l 3 cr >• 2 >> O X i c r cu -? i A o -L. ^ - J ra 55 - ' < II + JX co 3 tU 3 0 1 tu 3 o I I I " >> II ra I E 2 II ~ - V "I CL + O + + II V <>0 •a 3 55< tu 3 CU - | II w Jt! A t o «XJ II " C J - S X C L 3 II O . .11 xj w tj "_" 3 — •O ra .E o _ u. tu ; > "tA "ra + loteqii >ert 3 .E CU c o 3 (yv (i-Appendix B. Proof Script for STARI 182 tu y w + + ^ T" " A A II II c o + + II V I S -v TJ if < o II A Vi 'tu c o „ 5 < -3 — .£? 55-is A ! ii c o 3 c ? ? o . » fl!) I I c y •s ? § u JX \ t o t o J t . tu + W ' A il c op lo _ o m 3 TJ C TJ tu ~~ to 2 "S to S <-> t o CO u TJ — tu La ca 5, II o to t o OJ • g f C L I IT ca =L c O •8 a Q.' >, •S '-o 55 3 — "2 o S Z o , o' CQ u t u t— CO '—- -C a . 2 « cu ca > t o {J X I X I II II > C L + *eo W C L 7 3 S: + 3 P < •=, c _ w 1 CJ C S '-^  i .3 Jet! — ^1 >; II v > i JX t o 3 cs A II II o. + C L £ + ~ ! t -X tu t o t o ' 3 >> II - s i £> w 3 iT5 a CO + " o j i Q CO + *co a . C N + t o O 8. A l.ins II JX — - s i i t o v(s j \" t o II psi(s Delt V psi(s Delt tau s tu o _ § t o » £ U ~ V i i tu tv» « S — u O tu l - l f £ J< . i I w I - A " r S H A I 9 4J • s , o >i t •Q. CL. CO 4 ? 1 = 7 1! 'i a. A v 1*9 <*» C L . * n. t o t o • CO > - . w . II cu o + + II TJ V 3 *2 < W JX TJ "> 3 > < =5 o 5-+ o tu o. + t u 3 o f 3 J « ! co C L + tu 3 S 5 • A A I w JX T* CO C L 3 8 ~ s ' c + . o - A - JX > o ' ; ^5 ? z z A ra II ~u + > ; TJ „ ^ -+ T • n <N C L ^ J •* + 5 >> CU ^ v S £ 3 ^ — 2 J « ! TJ 3 < II II V - • A II 3 CO co — CL 2 + ^ c >» CU v £ ra •° H 3 >» < II V CL + o tu + 3 + 9 ll v Vi l >. I tu «•« j e u 3 u tu o 3 « T .5 CJ II A A Cu 1 5 Ji?, 2 a -W C L Z ll CU cu 3 3 O O m ui w T "> 3 TJ TJ TJ , 3 3 3 < < < cu E S ? — + c r w v UJ || 55 V . •x i CO > < »» tS 51 II <• A 55 ; " tu 55 s cu o ?l ! cu CU 3 3 O 9 — . : n - | .A JX i a a -3 ra tu 55 3 c r UJ cu 3 O I I J*. JX —, . - CO CO r~v I W w w — * . CU I ._ ^ . TJ *^  _c _ . ca ^ x a - J < J r — s 3 + ?55 + tu cu y 3 s 3 O 9 9 ' > II A _ cu 55 s I I JX JX co co . ; TJ T J TJ 3 3 3 < < < >) A 5=: 11 ^55 55.3 x-^ TJ TJ TJ A 5 5 5 11 < < < 11 11 X) —c CU CO X I X I X CO •c C L a -cu 3 II OO A .= " X 55 o cu —* 3 u 9 59 9 — .1 "o I 9 JX CQ w U W CJ 3 ra 2 D. V 11 >-• t-< 5 5 a x I u >> L. _ J 9-°-x Cu ffl< .. ' C X « CL — I tu S a £ ^•c -S 8" I 3 x . _ CU «J o 11 A SJ x 2 t U co c 2 s'li LL. 55 >-"o E— 2 J « < r-i ^.rj — C L 0 0 S >• 9 x MOQ w . . » a •c r 5 CQ tu ra co s-s C N a a . 2 x « tS £2 ~ i 1 n a 5 * > 11 C N C L C L tu tu II X I a-S x x 2 tu cu 3 I CJ JX 3 t o o V -t V 3 I* ?^ > CU TJ JX 3 w < — 11 y A S ty» 9 • tU I !-,<: JX — II g 3 f 5 A •S A j! t i 11 " JH || Appendix B. Proof Script for STARI 183 3 JU ^ to O .25 u |l CQ a g < * 8 .2? + -2 Jo + 3 C L O "u £ 2 u ? + A w I CU II I g II Z — o + + a.' - - ° o £ 2 H x xi >J xi U CO _ i — n> CJ "tZ — to O t- SS X> X I Q. X II X I 2-S. V — N -—. JU it 'e cj CO C ^ u o CJ cj ~ | T i — i Aft S II i £ a. J £• <= „ L' " a. A v —1<« • i ' - l - l a.j<: JU Cu cn vj >5 X i CJ CO X I X I c •c Cu Q + 2 cs w eo fi. cn 11 'g — JC m xi II CJ cj c o J-J J* CJ J*L § 2 II v CJ c o 8. X o eo II £ . w «U ". i" f -s C i - - ^ < —I ^ J * CL. CJ VI *w = w w O 'S II £ A w A III o tn Q . . 3 CJ U CJ I CJ cn Q ~ + o CJ ^ c CJ o §! II s M 'uVi c ^ O CJ I 2 « J * o — — ^ S S - * 3 en < A SS £ !! A -o -—- II 2-2 .J £ « >lu £? 3 *s. w — + ° S-S § 8 J 2-0- £ A V . . | I CD « 9 Vi J-Z. . . >>x>-o - - S5 2 fi. S-—'jJjJ 2 2 o. fi- S « » « tS CO II a •c fi. cj cu s -£ CO c - l i . o II A — .2 O " _ ttl u jH co V U «•<» tu to « * CO . CJ 3 CU 2 £2 cn cn — 2" — 3 V 3 .2 «X .2 .2? 3 . _ 3 ? S 2 -- 2 o I tu ^ i S £> A SS A II II I II . cu eo CJ . I CO a . w a. CO , , II CO on CA co c/> — • — • — cn to C/) fl> QJ « J= X ^ ?r O O S S CL fi-^5 >>x: x S5 I I cu w w co f It ^  ^ cn cn cn — Ill » CC — cu CU CJ u x- £ •£ £ o o o b g C L C L C L 2 fi- >.?-•>, 2 • ^ i - ^ r I >. cn x ? £ £ £ ~ i I CL C L co II U X I X I x> X l CJ a + " - c S J tu '—• -TJ in —- tu f-tU 3 . 3 3 O O | '—• : u n 2 f « S - . i . 3 " tu cn • + — •a ' 3 < cn leu's' ? S 2 <  II -a " tu cn . A , t - a 3 . Z I c7 i > . C L VJ "CJ > - < C C L CN O Q. en , . i £ % J — -a 3 tu 3 < 'tU 3 O + + 3 II V Vi —I w + u " w w J£ II " w ,co A . A C N II >. " en S J ; A -aj" II 3 II O — , + Vs "In II £~ 3 3 S5 O cu 2! CO J , II A II > Jtt tn tu . . > CJ 'eb « to "I tn C — cu 2 >I- "-, 73 o Z C L II — — cn O C L ^ , Q f i . c n 3 2 I 03 3 Jul SS C T in UJ SS 42- £ 2 1 9 II II in 2 X I X I CO J 3 •c C L C N o a. x I >, X I II : V Vi o + + 3 O + + fi. + jJ J O S J ^ "c? o + •a • 3 < II A «•» "cj 3 O 12 lr3 UJ 2 > «? To s 3 o cr | o —I o CJ CJ 0 o -'2 cu tu " 3 .2 o >> 'l .J • A •~- II > II >> T- SJ CU C L- ^ 0 m cj ty " 3 K S § >..S •5.1 1 ^ tn A II II •= A t l H JU II eo U ut'i i _ ' p ro u I C «-> >> co S£ Appendix B. Proof Script for STARI 184 2 2 t o t o CO tO — Tf TJ c 3 O X l k-cu •s . - 2 "o « <-"a 3 3 ! O cj 0 0 2 V ' -p CJ "3 O "5 t O 3 3 X I _ o H a y I ™ o 5 A « S 1 1 I I ii J -2 O CO CO CO •n C L CU X O C L > » -=. 2 si. 2 x rrj x 3 2.8 CO . U u 2 * CO O u ~ •3 L . CJ a. s i o x> £• C L co °- S co C L II II 2 2 CO CO CO CO C O 2 2 •s § - v J o _ fc u •a J ~ eu ^ eu | < ? cu "a C L . "S IT' 2 5 « cl- + S 7 3 -S - 2 - U - + 2 ^ u 5 !» o - u A CL W co « •IS •s y S 2 J 2 CO — — CL . CJ CJ CO co cu eu X X o o C L CL X i X ) 2 2 "eo eo U U ' 2 2 CO CO CJ CJ 0. Cu >>.>•> 2 "5. "a. 2 C L C L eo co co w II II CO 2 2 co co ra | eo co Q? t. tl ? ll 2 '5. > H + T J ^ tl •a <N a 3 . i + < w C <—. >> cu CO I + +• a eo cs lit + s CO cu cu CO CO _ 3 CU ! + r ? 2 "7 3 /->. 2 .E •- — -* 2 CO T J JX > . 3 II < cs JX 2 JX II V A II II V 3 i V 3 2 5, JX e t: cu cu CO CO co II 8. A 11 c '•a a 12 — cs cn Tt m vo C L + C L + II V 3 T J + CJ CU 3 3 O O tu CU 3 3 o o .55 c C L CU . co 5 5 + 3 O eu J S CO CO 3 II O cu cu o •• " i cu CL ""I iS co >. -CL + 5 5 3 v a II II — cs CO CO ;>-> CO CO I w co t w CU C eo 3 eu ~ CO > . • 3 CJ II 3 • 9 5 5 3 "O 0 II 1 A • ~ l J 5 •a ? C L . A CU co Tf i n CO CO II s f -v v> > I - J < .55a L. rrj c - l I u ^ I L . J CLCu X Cu B < 8 J S m w -8 2 2 u C L Q CU w II o. L (I . . « - c 2 •—- cu to II 2 cs " 2 x 2 J tU CO c 2 2 a. co V > H J < 5 5 C £ J L . _ J C Q . x C L " < 9 I I " CO w u ca o — 2 u C L Q tu " L . Cl-II CL CO S-' 2 " 1 -5 CU a cs .e-'~i L . CJ . . t o ••=; 2 2 Iu to tu e ii - II cs 1 1 2 Q . 2 co L j 7 tu ^ l l T J < tu ^ £ 'ra C L V 5'p o II . U 3 , 3 *c CL 5 -C ra c 1 UJ • 3 2 3 " t o u i ! - J < -CO || 3 | | 3 U * 9 .2 .2 | s a — •-- 2 a. J u J « I •« w to w ^* 5 5 . ^ — - ' ' •S_ 5 5 A 5 5 A tu & !! !! S ra , ,11 II t o II 3 •n C L eu — E Z f- . C L > • < a 5 C L " U u J 2 g-o. - « < cs 9 2 CO 0 0 11 eu tu u 0 0 ra — a £ II cu CL i * cu eu hr i 2 2 co J * § •—- flj CO II 2 II ~-?Z u. "5 tU rf x x 2 _' tU CJ co c 2 2 2 o. cu ra II Vi 1u 3 O 5 5 CL H J < 5 5 0 0 0 X I co 2 eu tu " 0 0 ; o >• 1 J C L C U X Cu < £ < ; 2 " •= X cs I cu x > ' l l w tU 1 / 5 • II 2 cs " 2 x 2 J tU co c -±! C O A II — A o ^> re CJ 6 0 2 to 2 2 "cj "CJ •° Cu 1 2 | E S 2 — JX 3 CL ^ 3 CL + O =0 CO -fill E O 2 Appendix B. Proof Script for STAR! 185 A II J u 3 cj ca ca co to cu CL cu 3 o + • + u l a — ca J t co ?C CJ CJ ca -I i _ X i UJ = 2 i "3 CJ >-O 60 J CJ "E. S3 tt 2 l- w ^ CJ II M ca fe. 2 55, «"E. 3 CT UJ U II S 2 ? ~ n O O « £?„ I A O 3 x> « I .2 C u g /o ta 2- + 3 CJO £ I 0 3 3 + 2 c- o 2 o cu c o CJ §"£. 'I „ II tu tu 2 2 ca co eo CU ta co l •c o. 3 O + + tu tu -a 3 2 O to X wm X Cu £5 x tu tu to >. — H I i ed •*o> mm XI UJ 3 O I U ()>• .. o M J tu a Cu, "SS "5.J= ^  I II ta II 2 to — 1 X mi mJ J± ca ca eo <-> =5 cu XI tS 2 XI 2 o 5 S N S 3 N ca - 3 Cues r—. co CO «—- co — "2 c s 3 to | ^ CO >>T; *. II II — CS ' to eo 1 >> J co eo i CO J 3 •c Cu 2 2 2 ™ to to T t OV CO CO O O Cu Cu >•> >. X X I I >* >1 XI xi ca ca U U CU <U XI X) C J C J 0. 0. I I ;c >>,>> 2 "E. cu 2 Cu Cu co ea ea w II II to 2 2 55 ca ca | CO CO c II V vt 3 7> o 3 — O II + A + vt Cu, I CU o J A A^  II II II w II C x. y ? < lT 3 CO eo Jl II V V vt vi "to CU j ^ ' "•-,1 1 4> w 8 g g ^ - v i [O t i i e 3 to . 3 O w >» + 2 w + 2 ^  2 ^ o w + + CS || A <u '- 2 J * co tO mm ca CO CO cu •c Cu XI 3 < JU co to « XI . _ U 3 to 2 < w .a *2 - + <U to •—. _ I a - . ^ i o C u C S C u co ca . II II V V vt vt —I " l J * mm\ co eo XI X) 3 3 < < o + + 3 II V Vt 3 Ul o + + 3 II V Vt tu tu 3 3 O O + + + + CU CU 3 3 O O x> . •— ^ cn xi - « c £>< A II II cu C u >-. C u to >> tu i i x l II II A ,co A A 3 5 " ~ l ' •— cr to co • Ul w w 3 I ' D ? S.5 I CO " ~ l A Zi •X II II 3 + s. O eo O A II II II A vt i ^ cu i * » » C3. > > e o t o — t o cu tu 3 O + + CJ 3 O + CS cu • i § to w c u i + + cs ty C — | cu u, g ~ V cs 3 .2 2 >, CS eo cs U II CJ 2 eo ca 2 1 co c JB "g. 3 _ O ca 3 U 5 u +icat ne+ X) o tU ' tt II 1 v >,vt '—V C u - - 1 "iu C u j< ca eo 3 O tu 3 tU wm cu 3 o + ret Eqi O + + tu u •r tu 3 to '—- o . _ xi cj 1 S (on II >, p $<= A (appl one++ $<= VI —1 (appl one++ — i j* to lse lse C u v i vt to XI 3 CO U. 1 x>-| < "eo aj< C u to eo 5£ u tu a. i 2 CJ wm CJ eo ii-Zi X tu 3 CS^T I — 3 O — S ty r7! V II cu " i 2 ^J 2 1 2 ta Cu 2 CO Cu to CU CS CO ea II t55 II 2 J 1 to 3 CO CO mm O. 5; .2 3 ._ O CU S v — «•» 2-'~; O to t II = <^  SI? ^ 3 II J J 2§. I'll + tu •— 3 I O i • CO II O £ < : xi 3 < II V tu 1 1 ^ V tu j< ! I ' 3 co CU 2 J O w 3 "u ! C ? 3 U O ° 5 3 ' " l + O . 3 J + i >. tU I O W CO si- to Q , cr ul £ II 3 _ Vt ea 3 i i O - J f S S UJ Appendix B. Proof Script for STARI 186 cr UJ 0 5 5 A TJ II J II 15 u .2 <= lit 2 < M • 2 £ ^- 1 •5 u 2 p 7 3 i | ! — ° cr c [U ° 2 T J , to .1 ts II § 0. to e>. co cu c c •o o cu C u C - I ? J. Q. I a.-* « «S II cu 9 x> X cu cu 0 0 f l OQ cu — to o •S Z I c j»s cu 5 5 2 2 2 CO CO CO CU to I C C L cu w CO . - tu 2 " S 3 = t 0 +, a 1 g £ 0 0 o — D O T -2? I -s •= 2, t o Ql - — U J I tu II L. C L _ J cu ^- tu II to 2 55 —1 x 2 . J c 2 'a. A „ - t U V u f ¥ 2 « o to g : tu o tu 1-sf c" . i I w I -A S MA "Aft J2- 3 5 5 l o u 1st S o c 7 !! II C L A V -^i. —, —. 5=5 « 1.JJ 2 2 C L t o co CO co 1 0 — w to tU 11 to 2 co 2 I co 2 -g. ... ^co. QJ r to tu Xr. co a oo — CO I CU ^ x: <£• o t CL CU >, ll '• o CL »*> X tu oo II tu II : V o + + o + + tu c o 5 5 C w u cd i §• tu C L + tu II A Vi tu c o 3 O - w £.« 5 5 «J o g 9 '>> I 2 o + 55 + tu "JJ ? ? J O 1? 55X> - ~ C tu 5 tu " — II 2 > II >> ' 5V II .* A II II •= A tl II 2 II TJ c < tu c o uT .= J£ II j I! ~ J i i Vi JX tu tu ? 'iu to 2 u 3 S SLS" r ^ c E La tU O . C U TJ I I I C L £ . C « co ._. c  0 0 ?-! o + o 2 • — o -• cu I C Q 0 0 tu w 55 I CL ^ a> Z; Jt: tu 55 — 3 « tu o w -1-Z 5 5 2 to t>5 •c CL O CL 3 7> II 3 V O « 9 II A Vi tu 3 O CU O Jttt j CO co 3 5 5 < >,.V A II II o II A Vi "tu , 3 o C L S §•? w o _ -a — 3 a. 9 S— •- = — 2 _ C L co cu CO Xli vJ J II 6 v 3 Vi o ' CU i. 3 I o A i II .J. II I JX • " i g . JX t o A ii !! v II Vi 5 5 "tu tu *> § ? I TJ 5- S 2 JJ uJ 2 - 2 Q- -a I 3 J H + + 3 1 1 + V + Vi S " i ' o .* tu tu 3 3 O O cu I C JX JX O w • i C ' t o I tu C L JX t o co 3 ^ CO / >, •—- ; W II A V II ~-II CL + w tu C to Jc! X — w t o tU U n co to t o cu O CL . _ I II CU o CL II . 3 II 55 o i « S 3 O o ! J ? Iw 0-55 a. + II A Vi o + Iu 3 o 5 5 ! t u tU 3 § ? o + 3 0 + + 1 k cu tu 9 o § o w o i B 3 g co O O 3 J T co A W II > II • 9 5 eu ~ , . j . 3 I 1 o JX jx • Q CO t/> tf l flj Is II A -' •n CL Si cu — w 2 £ S -« ~ •- A 2 2 2 il Appendix B. Proof Script for STARI 187 O . X tu CM < zi<y UL] * J tu >" L. J C L Q . x a. <8< .2 2 x> IT 5 S a> so c — IO u £ a> _ cS ca u 3 '•SiS" •E.T3 S- 11 -S A — ca .2--5 — — O CO C L O •= .2 C L y ca co ra -- . tS cu II to i i to 2 J to c » 'Li E f-ca 3 C T __ U O 2" ^ 11 CJ vt .£ cu 3 CU " cfl *^ co — — 3 || 3 CU - — . — w CO - i CO 0 0 £ 0 0 to « S 3 X I ? X ) Y X I 2 •- 2 2 C L <u i t3 o o . * oo x> ss C L " C L A SS A " II II tu J* II 2 to C L X tU tu f < tU L . —1 § S-S: -<£< 5 2 oo ^ C N • - 2 o ca , cu — - ~ cu _ co 2 o.—, CU CJ L- CU cu — — 0 0 co M, -C CO S 2 co tU bt. mm II km cu Stal n C L C N La C L tate = Stal i X X tate = 3 tu CU to 3 pri let let let ud 4 ) 2 II cu C N cu « U [T] » g- I ss 5 >-O L J S'S-8: t o cu "5 CN CD < C N 8 « ~ X I co 2 o o u oo CO ^ "5-xl u -E X ! II A X I II . A eo X I " C X 2 C N .S-'-i C o . . to .3 <u >—- n> «« II £ 2 C N " « x 2 —' CU t o c M Js ii. C L X I * C N + CO T J X I E CU 3 X I O X I L_ *_ U xi _2 E = JO •— — cu II o xi £• =» 8 0 C L •e II 1 2 — LO X I II A u 2 tU <U to • » CU .1 1 2 o-.o r 2 2r 2 xi - + 3 CO CU «_> - — *o < — I n " •S >i A A C L W ca « LSS x: n •8 2 I CO •5 .5 ~ - cu CUX I II X A cu :5.S to o C L a. >l2 J 2 CO CO O « 'i £ oo + i t cu o oo : >-f— • ,o - U J i > ^ tu II t o 2 ty5 ca tu 2 X c « A II U ^ v i CU "a. A CL II 3. II 1" 'tu 'l O tu C L 3 CO o + 5 t ~z 'J II C L A V >1 - , - . R 2 & J J 2 2 C L t o co CO co 6 8 S S ^ tS cu II to tu tS c to 2 JH o. -5 CO ~co tu Q + 2 CO t o t o SS •—^ 'co ™~ C L co II s — x it s iri xi £ II 2 a o C L cu 3 o S5 ^ tu J2. ? 41 II + v ^ = ? o ; ! tu •—, II 3 1 _ o •x SS I ss^-i "Hit < " " l "5 ~ C L cu t o -—< c w w O 'lo ii £ A ^ ^ A I!! 0 1 •c C L C L . 3 t j t u tU 3 O tu to o II A vt 'o 3 . o 3 ' " l . 3 Jet: xi 3 3 w < A £ ii tu I CO co — J n a _ + CO cu — — X I , C L 2 . J _ I ca ' c o r j w + CL 2 - + cv ca ca « . y 3D-, * A v I I tu vt vt . -^ X ^ 7 3 — • - S5 «u -3; C L ' ' I tu to ct C L ' K ^ •* ta tS to « . £ ; -II 2 2 X I II A a C O J 3 •c CL CO ^ < to ^ ! 3 CU 3 CU uf 2 iS"2 m— CO ^ CO a v = v c r j </=> o <^ o "cu - ~ CO 0 0 oo x. ?i§ Is •— 2 •— 2 CL J U . J o C L CO u CU CU E 2 H to v S *o __ ' o >. I _J I < •- in i 2 • n L . J 1\ S-g; O L. 5 — — , CJ I S -o m ^.2-J2 tu I C L Q X i tu " ^ -S 2 CU t o CN " 2 2 to co c ; s "g. V vt X I II O I CO w n 2 2 o tu Appendix B. Proof Script for STARI 188 C L + u ll 3 V o • + .SJ + I 11 3 VI 2 SJ tu 2 2 re to < to tu to 55 s ? + . 4 ) CO ty " ta CN to C 3 -2 S" to tu 6 0 C M 3 > 2 i— tu 00 - J '— <• _. LU c I o >- . . O J tU J O * -u < " *- ^ <u II II to x 2 ,J tu to cz o + + O . + 0- ^ — ° c tu rs 3 c Q . to • -~ 3 i S C L co , , + c cu o cu s o c o + + CU - i JC 3 " r ; = t o ^ •— CS w II . A - V II II — co U 2 CO u T J 2 I T " C L C L C L >. & 2 CO cu •—^ L . CJ c ¥ II + v s «•» II JC \ / t o ~ X i II II II S J V s" ~ n I v JC Vi CO A • * II II T, 73 2 2 < » . o O . TT II Vi & o S J A 2 tu o . 2 + ' t £• S w IT n v A V vi Vi • C L — JU C L -r . . C L C L — & C L + CO « , <= II V cu 3 JC t o CO mm t o t o A S J ii a II to 55 C L V V — to ** " T J CO CS 3 " _ < I to ll 2 c . 3 CU co r -» § O A ? J b- >^ n t o ' 2 w 2 1 1 ll 55 2 --J 2 e .2 1 / 1 a. .2 .2 J J eo CJ tu o II A . Vi j c + 2 T — C L »> 55 2-e^-g S s s § J2--2 T J A I u • K 2 O - | CL co to ^ co" • - — 3 II w " Si to -+ C ^— tu 2. | t o > \ •C ^ tu i | s y - J C 1 V To 3 - I 2 .?> t o SS I" i II ' + O . II C L C«S •c C L II 3 .-sr .—- CO CO T J X °-5-* + ^ • — • u . A v s — 3 i 2 i ^ . T J & > . 3 ^ || < II —• V CS CO A II II C L + 2 15 t o tu i— T J . 3 + 'd-CJ 3 to to D CO '—' 2 >, to 3 v i 2 _ , 3 t o — 1 2 a.-a — CS c r i - . M C L A II 2 O CJ •to T J 3 J*:' i K J * CO t o &<S -.+ + "cl .-=-55 U .•=- - * E ~ , t o . 3 C L + II V 3 2 t o c CJ O ~ l „ I eo : JC 3 - t o (U ^ CO w ii a II • ^ A -,.11 ^ J Tj « J C T J II II II II - • ( N n t t CO CO t o to >. >. CO CO CO tO CJ tj CJ CJ 0- n I C L C C L c tu 3 O + + 3 o + + 3 II II V V vt Vi T J 3 < CJ 3 O + <>> + cu cu 3 ° ~r + i • C L C L . § A cu w II JC II II _ ,eo A m., W LL, Vi T3 A c o . E tU 3 II A vt 3 2 I c r t o UJ SS cu CO mm >-> CO o + + tu 3 o + t o Jj o + + cu _ >»cs V • -t o 3 >> CO - 3 —. CO 3 •£ < o tO QJ mm CS L J tu II to 2 55 2 J to 3 3 cr LD 3 O + + II V Vi 73 = U < cu _ CO I U Jet T J « tu II -*^> cu C L O eo + ~ + m tu I 3 O — CL. W CO t o + m t o tu = II A n> "l 2 i T J CJ lm C L I CS 3 £ II cu 3 u -o — * I f "SS o < Sj ~ + + 5 P + s ± t o ta + £ v CS 2-'~ l C L C L co , , II tu "l 2 - ll VI SS o o ii J S a s i 2 u< 3 J C c r t o LU SS J C to tO mm — CJ Appendix B. Proof Script for STARI 189 E E-li Vi V3 OJ — ca •J= a. X — v 2 c -o. cu > • < a tu i >-_j a. a. < D. X CU CN JX II «•» '~l cd _ 0 0 11 Q J CD U OO cd ^ "H.J2 CJ c , II ra II ^ l x ra i ^ cj to c w 2 2 C L 2 < p a La M J C L Q . x a. CQ < •n £• •4 S i i CM '—' L_ • £ cj 1 . . tS ••=: o v—. CJ 1 / 5 ' ll 2 CM 1 1 2 u « c 2 2 D. cs 2 ra 2 •9-8 2 2 § co — U .-< ra £-8 E 'a _ "eu . A • T J | * 2 1 . CL a ra o op ~ 2 =5 2 2 ~ ^ & cu ra "O T 3 X l . _ £ II n A = | - M 3 CL i a . " •af t ^ eu eu A II II '?=f § I X> o La JD o L . . CL CJ ' - J CL CL 2 3 CL ra O X I La o. 8,2 •S 2 O en CL „ 2 oo 2 2 ' 2 LO C CO 2D. 2 _uf ra 2 T J o . •U w tt II D- ra CL — ra tu .. >1~ ^ 2 0 . 0 a 2 CL 7 CQ eo « & to tU II ]S 55 j 3 •c CL O T J O CL II V Vi TJ 3 'Lo < CL ll H " || A 2 — l U 2 ra cj •5 CJ CJ 3 O 2 x^ ll • A _ c-<y» CL to t m m CL 3 I ra — -cu 55 Q 5J w w T> J" 3 O + + 3 eu A II II eu TJ ts 1 tu 3 O + _ + ra cu . E 3 S C L £ „ . J J 2 2 II 2 CO 2 2 55 •n CL — La. /\ JX I tu Vi . . . . T J A 7 J..l» a '— eu «J ra 2 I I co ra So .op o 2 tu eu A II II II _ 3 S. o E- tt. CO — . Cj « ra 2 §• §• g cu UJ T J J t . 2" a v v a. vi vi >> ° ~ . "Ix-x JX : • S-ii ^ , ' CO w , w 1 II eu - 2 ! ™ ! » ' 2 to 55 •c CL 3 v Vi f -• < -ioSa - eu >• j c L J to CLCU ra K a. CQ 2 -•c £> ra O 2 CQ "cu tu T J u ra C L -•C , 2 - l CL tu L - . II L . Q. cs " 2 x 2 J eu to cz 2 2 E. 2 u. V Vi cu cs >-f-II A § 2 CQ cu eu T J «.. I'5-< i ^ 3 - u. m : x i I tu >" ' L. J C L Q . x Cu -J al-CQ < - 2 ^ '= x a cs cs " 2 x 2 J CU to c TJ II tu . _ ra B U — 2 A •? eo | | 55 2 II 2 T J ra tu '—. w La ra to Cu 3S _ I u _ >.TJ _ "S. + ' ^ m co ed to tu u A A CL CL •—' tu to II eu [ . " - . w o cu x o CL x: 2 l to -= ll •8 2 i ra •5.S •c CL cu 2 to 2 o .2 6 0 0 0 o 2 A A H II II "cj 'tu - E -r <t> U 11 2 cr § . g uj u. T J 2~ S~ S II || Cu Vi VI >1• - 2 i r " to to a-. CL w w ra to 1 0 w to cu 11 2 55 2 ra I •n CL O O CQ ll L. Q. Appendix B. Proof Script for STARI B.4 Proof Script for the Protocol Appendix B. Proof Script for STARI 191 X I II A II X i E = , - c x i x . v V *•» .O »> CO — ,2. — ' eo " A A «. | 5 5 Z - II II 2 « eo « <£ To to 2 3 3 S. « c r o" FT 3 t U CU i i 8-118, c ^ ^ w x 1, J> u rs x? -A II ' to O. t*« 55 o 3 3 II O V 3 ^5 c: to •—' tU TJ TJ Del An Del + II A X I " 3 C L II tu II V c 2 ^ II w * I§1JI| O t o o — O a. C L L S a c - 3 — cs m Tt tn vo . _ cs , IL) 3 TJ V V O .C. o o TJ + Q 2 tu + TJ '5. ^ 3 O CO „ s, + r-=b « J £ £ . - + « 2 .11 tu w 2 TJ .. S •a S a-A 73 S 8 II II II II II II — cs m ^ i n to X i X - - - -^ tu tu tu tu tu tu in X Tt X cn x cs" X II 3 5 C L + > . 3 - II 3 A V S t o t o )lt O 3 - 3 C L C L 2 3 3 K 2 2 U -tU w 3 I f cr + 2 • o > IS' > - i ->> — w TJ S i 3 < O ' t + 2 « CO 5? + a 3 -3 2 ll 2 3>-v A x K t II II II Tt II u «3 C L + S o ' " = —" t= '5 " CO t o > I C L + ^ O — cu "c; c t-II tu E =, v -3 2 — • • L - A O — > a ^ 10 r g L L s ai•£ •E 3 Q a E — Z Z •s < < < c/. > cu ^-k TJ + A >.£ >. >" Q — Z ~ < >• .-=• E v II ts — o > C L • a. C L + 3 II V a Q - z < TJ Jit t o O • - C L — 3 o 2 CO CO CO 3 trtrS' tu S 2 B o g i n n n 2 © xi _ eo t o "C CO OS O O O O O O . ' L - II || II cu 00 g cu j; 3 N II II H II II To ,J£ t . 3 S CO TJ - X l E 8 II 3 IS.? a n O g II II " TJ g | 2 | J 2 2 '5.4) 2 CO ~-2 tu V / "a «X — CO > . ca eo t T J C L ' -II II c tu to 3 Ct. II If I ll ^ C u U U C U C U C U t U C U O J l l t U t U f l J U l U t U l U cu > . x i : CO >> •c 2 > CO 2 ll o > £ r Appendix B. Proof Script for STARI 192 T J c < o. X ^ ra CO TD •—' u -e T 3 » E » CO CO -g 2 — i « CJ _ -Cu co is C L CJ • - 2 £ 2 II a £ in £ 1 to CJ JX X I — 2 <= a. .§ w CO = .2° I si ~ J 2 u 3 o ao . «3 JX ^  J - — CO l _ .-_ o i a U o x ; J d co •ZZ CU II c t j -— !? 1 0 » II • CU cu I I a JX jx 3 CO CO CO CU C ? + c II V .15? T J C eu 2 <" ra 2 "o" 5 ^ CU _ vo S s .£ II •s co •£ ._ 00 O I •JS O.JX X l >> co O X w II cj -V 4o~ ^ 0 x: "~l 2 TJ JX a c « o <£ 2 T J j -ra eu t3V 5 u u « ' CO J o X * C T A X - cu-ll C L U J eu o x II II o xi CL CO ; II 2 CO II c 55 ^ eo I i « J o II 2 V 3 co O j m w co CO J - co — g C j j A 2 < •£ " w >> o eo : C L o ^ >> S-o -=, s >> x. 8. >> X I ;>> X I CU tU eo cu X T "5 I I CO . 3 CO •c C L tVO 2 2 •n CL ' 2 2 — CO u eu eo .!£ O co . 3 eu T J JZ\ Cu C L I >, £ CO ! tvo | J I 3 ; '= ! C L eu 3 , j 2 • • C L S <" II E 2 CO CO J " - 2 2 2 tv5 '—' CU "co 2 tS CO fs) u _ CJ CO . 3 CJ co T J . c -a Cu C L I >. >.x; " • > ! x> C L o eo II 2 _ CO 3 ~l «» 3 o + + 3 O LL. 3 O + + T J 3 < eu 3 o _ + 55 + C L O -+ 2 - 8 55 S ^155 cu X> eu N ^ 3 II 4J " 3 a * K 3 3 1 = 5 >. 5 w 55*. II r- 2 3 3 55 2 2 5 5 3. - n £ T J + <u . 3 >i o oo + 3 i l ra A •O ll -55 2 cu jz, 5 J= ? 3 ! xi 3 3 CO . 5 8 CO — < X i _ X I = E = g - 2 1 1 M oo C L + J-Z 55 ^ C o + + 3 O + + 55 *>» *S 55 >; 3 s I II .± c > c >. .= -3 .E 55 To 55 cri5 sf tilt O w II 3 | | I ii — x y - z, =• 2 « ^ i S || S » -2? II c U. 55 cu T J CO r-I I I T J X ) u 3 S « C L £ • 8 . + 2 .55 II e -v CO ^-s trt ** .E 3 ' >,« 55 >> V 55 • ~ "a? CQ O 5 + . '—' 3 cu _ _ 3 3 O w o + -» t 3 + CO + 3 + S 8 5 = j — CO X ) CO N CO Vi u N ra ^ = - ^>_55 55 o ui - .j. > T J + tu ^ o "oo + .E + 3 ra A £ II 5^ II 552 ¥ g X X ! • § £ i £ s ' C8 = c O - 3 | | o u. 8. C L °l — =H To 2 T J O = Uu „ < 8. 5? O ra w E -3 O + + C L + 3 O + + 3 O ' + ; + S - S 5 ceo II LU — II II C L >> T J X i o C L 3 2 ,i ll u ^ T J 2 C 5 ra 3 C5 i — CO ^ ra 55 5 55 V O « • II < II " «*• II . II 2 oo 5 •ci .£ S2 - -2 E « - -L . .E J •= - 1 _' eu cu cu eu cu cu O + II _+ ^ "t'i O co _ 3 3 5? cr 2 A O II C | 1 1 . X T J 3 < T J 3 < 55 21 ^ T J 3 < T J 3 < Appendix B. Proof Script for STARI 193 tu « .2 2 rj cu ^ > © CL CL >> if o. i « 0 3 w tU II CO c CL I »> ' eo _y « eo fr) u tu eo .2 .2 Sg T3 j c tu CL CL "a. J 2 2- J= *" 0 3 C_S CU II eo 2 co CO J c I t/> U , 2 CO . o '•B , a a. 1 _>., CL CL O CL >> • -x 2 I eo i s tu. C II a 2 co CL •c CL eo 10 u _ CL CL >.£: 2 tu CO i II ; 2 ; 2 i tn c ; * 'g. 2 co 2 eo US tu c o •o 

Cite

Citation Scheme:

        

Citations by CSL (citeproc-js)

Usage Statistics

Share

Embed

Customize your widget with the following options, then copy and paste the code below into the HTML of your page to embed this item in your website.
                        
                            <div id="ubcOpenCollectionsWidgetDisplay">
                            <script id="ubcOpenCollectionsWidget"
                            src="{[{embed.src}]}"
                            data-item="{[{embed.item}]}"
                            data-collection="{[{embed.collection}]}"
                            data-metadata="{[{embed.showMetadata}]}"
                            data-width="{[{embed.width}]}"
                            async >
                            </script>
                            </div>
                        
                    
IIIF logo Our image viewer uses the IIIF 2.0 standard. To load this item in other compatible viewers, use this url:
https://iiif.library.ubc.ca/presentation/dsp.831.1-0051212/manifest

Comment

Related Items