Floor o Suelo, y significa el precio del activo subyacente fijado inicialmente, que incorpora un límite o suelo a la bajada del activo subyacente en la Fecha de

Now that the preliminaries are out of the way, we can start formalising some proofs from chapters 2 and 3.

To start with, let us introduce the notion of a conjunctive dependency:

Definition is conjunctive (a: PackageSet.t) := ∃ p:Package.t, a [=] (singleton p).

Lemma conjunctive dec: ∀ a: PackageSet.t, {is conjunctive a } + { ¬ is conjunctive a }.

Definition is conjunctive bool (a: PackageSet.t): bool := if conjunctive dec a then true else false.

Then, the notions of abundance and peace are specified, as per definitions 2.4 and 2.6 from chapter 2. First, a package p is satisfied (with respect to a set S) if all its dependencies are satisfied in S:

Definition satised pkg (S: PackageSet.t) (p: Package.t): Prop := ∀ d:PackageSet.t, List.In d (Dependencies p) →

∃ p’:Package.t, In p’ (inter S d).

Definition satised pkg bool (S: PackageSet.t) (p: Package.t): bool := forallb (fun d ⇒ exists (fun p’ ⇒ true) (inter S d))

(Dependencies p).

Lemma spb ok: ∀ (S: PackageSet.t) (p: Package.t), satised pkg S p ↔ Is true (satised pkg bool S p).

Note that there is also boolean version of the definition; this can come in useful in order to use this formalisation when proving properties of actual pro- grams; this is discussed in more detail in the ‘Future work’ section of the con- clusion. There is also a proof that shows that both versions are equivalent.

The fact that thesatisfied pkg predicate is decidable follows easily from the fact that its boolean version must necessarily betrue or false:

Lemma satised dec: ∀ (S: PackageSet.t) (p: Package.t), decidable (satised pkg S p).

A few useful lemmas about satisfaction:

Lemma satised union1:

∀ (S S’:PackageSet.t) (p: Package.t),

satised pkg S p → satised pkg (union S S’) p. Lemma satised union2:

∀ (S S’:PackageSet.t) (p: Package.t),

satised pkg S’ p → satised pkg (union S S’) p. Lemma satised subset:

∀ (S S’:PackageSet.t) (p: Package.t),

S [≤] S’ →satised pkg S p → satised pkg S’ p.

Now, a set is abundant if all of its elements are satisfied. Additionally, there is a proof of the fact that abundance is a morphism (abundance is preserved under set equality), and that it is decidable.

Definition abundant (S: PackageSet.t): Prop := PackageSet.For all (satised pkg S) S.

Add Morphism abundant with signature eq ⇒ i as abundant m. Lemma abundant dec: ∀ S: PackageSet.t,

decidable (abundant S).

The formalisation of corollary 2.5:

Lemma abundant union: ∀ (S S’:PackageSet.t),

abundant S → abundant S’ → abundant (PackageSet.union S S’).

For the formalisation of peace, the concept of being concerned is introduced; a conflict (c1, c2)is concerned with a set S if and only if both c1 and c2 are in S. Concernedness, too, is preserved under equality (both package and set equality), and it has a boolean version as well.

Definition concerned (S: PackageSet.t) (c: Package.t × Package.t): Prop := match c with

| (p, q) ⇒ (In p S) ∧ (In q S) end.

Add Morphism concerned with signature PackageSet.eq ⇒ Conict.eq ==> i as con- cerned m.

Definition concerned bool (S: PackageSet.t) (c: Package.t × Package.t): bool := match c with

| (p, q) ⇒PackageSet.mem p S && PackageSet.mem q S end.

Lemma concerned dec:

∀ (S:PackageSet.t) (c: Package.t × Package.t), decidable (concerned S c).

Lemma concerned ok: ∀ (S: PackageSet.t) (c: Package.t × Package.t), concerned S c ↔ Is true (concerned bool S c).

Now it becomes easy to define peace as the absence of concerned conflicts:

Definition peaceful (S: PackageSet.t) (C: ConictSet.t): Prop := ConflictSet.For all (fun c ⇒ ¬ (concerned S c)) C.

Add Morphism peaceful with signature eq ⇒ ConictSet.eq ==> i as peaceful m. Lemma peaceful dec:

∀ (S:PackageSet.t) (C: ConictSet.t), decidable (peaceful S C).

Any subset of a peaceful set is also peaceful:

Lemma peaceful subset: ∀ (S1 S2: PackageSet.t) (C: ConictSet.t), S1 [≤] S2 →peaceful S2 C → peaceful S1 C.

As we can see, things start to converge towards the formalisation and proof of theorem 3.25. One more lemma: if a set is not peaceful, there is a specific conflict to be ‘blamed’ for that:

6. Formalisation

Lemma blame conict: ∀ (I: PackageSet.t) (C: ConictSet.t), ¬peaceful I C →

ConictSet.Exists (fun c ⇒ concerned I c) C.

With this, lemma 3.23 can be proved, which is one of the substantive in- gredients for the proof of theorem 3.25.

Lemma not peaceful conict:

∀ (S S’:PackageSet.t) (C: ConictSet.t),

(peaceful S C) → (peaceful S’ C) → ¬ (peaceful (union S S’) C) → Exists (fun p ⇒ Exists (fun q ⇒ ConictSet.In (p, q) C) S’) S.

After this, healthiness can be defined as a combination of abundance and peace. Obviously, healthiness is preserved under equality and decidable.

Definition healthy (S: PackageSet.t) (C: ConictSet.t): Prop := abundant S ∧ peaceful S C.

Add Morphism healthy with signature eq ⇒ ConictSet.eq ==> i as healthy m. Lemma healthy dec: ∀ (S: PackageSet.t) (C: ConictSet.t),

decidable (healthy S C).

An empty set is healthy.

Lemma empty healthy: ∀ (S: PackageSet.t) (C: ConictSet.t), Empty S → healthy S C.

6.5

Installability

This section is about the definition of installability and co-installability; see also definitions 2.8 and 2.9 from chapter 2.

Definition installable (R: PackageSet.t) (C: ConictSet.t) (p: Package.t) := ∃ I:PackageSet.t, I [≤] R ∧ In p I ∧ healthy I C.

Definition is install set (p: Package.t) (R: PackageSet.t) (C: ConictSet.t) (I: Package- Set.t) :=

In p I ∧ I [≤] R ∧ healthy I C.

Definition co installable (R: PackageSet.t) (C: ConictSet.t) (S: PackageSet.t) := ∃ I:PackageSet.t, I [≤] R ∧ S [≤] I ∧ healthy I C.

Fairly trivial: if the package p is installable, then the set {p} is co-installable.

Lemma inst coinst: ∀ (R: PackageSet.t) (C: ConictSet.t) (p: Package.t), installable R C p ↔ co installable R C (singleton p).

Let us start by defining the difference between normal dependencies (i.e. all specified dependencies) and conjunctive dependencies (single dependencies). This is done by using the dependency filter mentioned previously: for normal dependencies, the filter that always returnstrue (thus selecting all depend- encies) is used, and for conjunctive dependencies, theis conjunctive bool function defined before is used.

Definition direct normal dependency (p: Package.t) (q: Package.t) := direct dependency Dependencies (fun x ⇒ true) p q.

Definition direct conjunctive dependency (p: Package.t) (q: Package.t) := direct dependency Dependencies is conjunctive bool p q.

If there is a conjunctive direct dependency, there is a normal direct depend- ency as well:

Lemma conj dep is dep:

∀ p q,direct conjunctive dependency p q → direct normal dependency p q.

The same applies for dependency paths:

Definition normal dependency path (p q: Package.t) (l:list (Package.t)): Prop :=

dependency path Dependencies (fun a ⇒ true) p q l. Definition conjunctive dependency path (p q: Package.t)

(l:list (Package.t)): Prop :=

dependency path Dependencies is conjunctive bool p q l. Lemma conj dp is dp: ∀ p q l,

conjunctive dependency path p q l → normal dependency path p q l.

And finally, the definitions of the normal and conjunctive dependency rela- tionship, as well as the ‘normal’ dependency cone.

Definition normal dependency (p q: Package.t): Prop := dependency Dependencies (fun a ⇒ true) p q.

Definition conjunctive dependency (R: PackageSet.t) (p q: Package.t): Prop := dependency Dependencies is conjunctive bool p q.

Definition normal cone (R: PackageSet.t) (S: PackageSet.t | S [≤] R):= cone Dependencies (fun a ⇒ true) R S.

All this can be combined into the following theorem: if a package p is in- stallable with respect to a repository R, it is also installable with respect to ∆R(p): this is proposition 2.17.

Lemma installable in cone:

∀ (R:PackageSet.t) (C: ConictSet.t) (P: PackageSet.t | P [≤] R), co installable R C (proj1 sig P) →

co installable (normal cone R (exist (fun v ⇒ v [≤] R) (proj1 sig P) (proj2 sig P))) C (proj1 sig P).

Next in line is proposition 2.18; any conjunctive dependency of p is always part of the install set of p:

Lemma conjunctive always installed: ∀ R C p q I,

conjunctive dependency R p q → is install set p R C I →

In q I.

6. Formalisation

package is not-installable itself:

Lemma not installable conjunctive: ∀ (R: PackageSet.t) (C: ConictSet.t) (p q:Package.t),

¬installable R C q → conjunctive dependency R p q → ¬ installable R C p.