Save this PDF as:

Size: px
Start display at page:

## Transcription

6 Mathematically, cancellation merely involves removing common terms from disjoint unions on the two sides of a heap equation. For example, if we are given an equation x v 1 (h 3 h 4) = h 4 x v 2 and we know that the heaps are disjoint (i.e., the unions are defined), then we can extract the implied equations v 1 = v 2 h 3 = empty We will implement the lemma in two stages. The first stage is a canonical structure program, which reflects the equation, that is, turns the equation on heap expressions into an abstract syntax tree (or abstract syntax list, as it will turn out). Then the second stage is a functional program, which cancels common terms from the syntax tree. Notice that the functional program from the second stage cannot work directly on the heap equation for two reasons: (1) it needs to compare heap and pointer variable names, and (2) it needs to pattern match on function names, since in HTT heaps are really partial maps from locations to values, and and are merely convenient functions for constructing them. As neither of these is possible within Coq s base logic, the equation has to be reflected into syntax in the first stage. The main challenge then is in implementing reflection, so that the various occurrences of one and the same heap variable or pointer variable in the equation are ascribed the same syntactic representation. Cancellation Since the second stage is simpler, we explain it first. For the purposes of presentation, we restrict our pointers to only store values of some predetermined type T (although the actual implementation in our source files is more general). The data type that we use for syntactic representation of heap expressions is then the following: elem := Var of nat Pts of nat & T term := seq elem An element of type elem identifies a heap component as being either a heap variable or a points-to clause x v. In the first case, the component is represented as Var n, where n is a number identifying the heap variable in the style of de Bruijn indices; that is, as an index into some environment (to be explained below). In the second case, the component is represented as Pts m v, where m is a number identifying the pointer variable in an environment. We do not perform any reflection on v, as it is not necessary for the cancellation algorithm. A heap expression is then represented via term as a list (seq) of elements. We could have represented the original heap expression more faithfully as a tree, but since is commutative and associative, lists suffice for our purposes. We will require two kinds of environments, which we package into the type of contexts: ctx := seq heap seq ptr The first component of a context is a list of heaps. In a term reflecting a heap expression, the element Var n stands for the n- th element of this list. Similarly, the second component is a list of pointers, and in the element Pts m v, the number m stands for the m-th pointer in the list. Because we will need to verify that our syntactic manipulation preserves the semantics of heap operations, we need a function that interprets syntax back into semantics. Assuming lookup functions hlook and plook which search for an index in a context of a heap or pointer, respectively, the interpretation function crawls over the syntactic term, replacing each number index with its value from the context (and returning an undefined heap, if the index is out of cancel (i : ctx) (t 1 t 2 r : term) : Prop := match t 1 with nil interp i r = interp i t 2 Pts m v :: t 1 if premove m t 2 is Some (v, t 2) then cancel i t 1 t 2 r v = v else cancel i t 1 t 2 (Pts m v :: r) Var n :: t 1 if hremove n t 2 is Some t 2 then cancel i t 1 t 2 r else cancel i t 1 t 2 (Var n :: r) end Figure 1. Heap cancellation algorithm. bounds). The function is implemented as follows: interp (i : ctx) (t : term) : heap := match t with Var n :: t if hlook i n is Some h then h interp i t else Undef Pts m v :: t if plook i m is Some x then x v interp i t else Undef nil empty end For example, if the context i is ([h 3, h 4], [x]), then interp i [Pts 0 v 1, Var 0, Var 1] = x v 1 (h 3 (h 4 empty)) interp i [Var 1, Pts 0 v 2] = h 4 (x v 2 empty) Given this definition of term, we can now encode the cancellation algorithm as a predicate (i.e., a function into Prop) in Coq (Figure 1). The predicate essentially constructs a conjunction of the residual equations obtained as a consequence of cancellation. Referring to Figure 1, the algorithm works as follows. It looks at the head element of the left term t 1, and tries to find it in the right term t 2 (keying on the debruijn index of the element). If the element is found, it is removed from both sides, before recursing over the rest of t 1. When removing a Pts element keyed on a pointer x, the values v and v stored into x in t 1 and t 2 must be equal. Thus, the proposition computed by cancel should contain an equation between these values as a conjunct. If the element is not found in t 2, it is shuffled to the accumulator r, before recursing. When the term t 1 is exhausted, i.e., it becomes the empty list, then the accumulator stores the elements from t 1 that were not cancelled by anything in t 2. The equation between the interpretations of r and t 2 is a semantic consequence of the original equation, so cancel immediately returns it (our actual implementation performs some additional optimization before returning). The helper function premove m t 2 searches for the occurrences of the pointer index m in the term t 2, and if found, returns the value stored into the pointer, as well as the term t 2 obtained after removing m from t 2. Similarly, hremove n t 2 searches for Var n in t 2 and if found, returns t 2 obtained from t 2 after removal of n. Soundness of cancel is established by the following lemma which shows that the facts computed by cancel indeed do follow from the input equation between heaps, when cancel is started with the empty accumulator. cancel sound : i : ctx. t 1 t 2 : term. def (interp i t 1) interp i t 1 = interp i t 2 cancel i t 1 t 2 nil. The proof of cancel sound is rather involved so we omit it here, but it can be found in our source files. We could have proved the 6

7 converse direction as well, to obtain a completeness result, but this was not necessary for our purposes. The related work on proofs by reflection usually implements the cancellation phase in a manner similar to above (see for example the work of Grégoire et al. [12]). Where we differ from the related work is the implementation of the reflection phase. This phase is usually implemented by a tactic, but here we show that it can be implemented with canonical structures instead. Reflection via Canonical Structures Intuitively, the reflection algorithm traverses a heap expression, and produces the corresponding syntactic term. In our overloaded lemma, presented further below, we will invoke this algorithm twice, to reflect both sides of the equation. To facilitate cancellation, we need to ensure that identical variables on the two equation sides, call them E 1 and E 2, are represented by identical syntactic elements. Therefore, reflection of E 1 has to produce a context of newly encountered elements and their syntactic equivalents, which is then fed as an input to the reflection of E 2. If reflection of E 2 encounters an expression which is already in the context, the expression is reflected with the syntactic element provided by the context. Notational Convention 3. Hereafter, projections out of an instance are considered implicit coercions, and we will typically omit them from our syntax. For example, in Figure 2 (described below), the canonical instance union struct says union tag(f 1 f 2) instead of union tag((untag (heap of f 1)) (untag (heap of f 2))), which is significantly more verbose. This is a standard technique in Coq. The reflection algorithm is encoded using the structure ast from Figure 2. The inputs to each traversal are the initial context i of ast, and the initial heap in the heap of projection. The output is the (potentially extended) context j and the syntactic term t that reflects the initial heap. One invariant of the structure is precisely that the term t, when interpreted under the output heap j, reflects the input heap: interp j t = heap of There are additional invariants too, which are necessary to carry out the proofs, but we omit them here for brevity; they can be found in our source files. There are several cases to consider during a traversal, as shown by the canonical instances in Figure 2. We first check if the input heap is a union, as can be seen from the (as usual, reverse) ordering of tag synonyms. In this case, the canonical instance is union struct. The instance specifies that we recurse over both subheaps, by unifying the left subheap with f 1 and the right subheap with f 2. The types of f 1 and f 2 show that the two recursive calls work as follows. First the call to f 1 starts with the input context i and computes the output context j and term t 1. Then the call to f 2 proceeds with input context j, and computes outputs k and t 2. The output context of the whole union is k, and the output reflected term is the list-concatenation of t 1 and t 2. When reflecting the empty heap, the instance is empty struct. In this case, the input context i is simply passed as output, and the reflected term is the empty list. When reflecting a singleton heap x v, the corresponding instance is ptr struct. In this case, we first have to check if x is a pointer that already appears in the pointer part xs 1 of the input context. If so, we should obtain the index m at which x appears in xs 1. This is the number representing x, and the returned reflected elem is Pts m v. On the other hand, if x does not appear in xs 1, we need to add it. We compute a new context xs 2 which appends x at the end of xs 1, and this is the output pointer context for ptr struct. The number m representing x in xs 2 now equals the size of xs 2, and returned reflected elem is again Pts m v. Similar var tag h := Tag h pts tag h := var tag h empty tag h := pts tag h canonical union tag h := empty tag h structure ast (i j : ctx) (t : term) := Ast {heap of : tagged heap; : interp j t = heap of...} canonical union struct (i j k : ctx) (t 1 t 2 : term) (f 1 : ast i j t 1)(f 2 : ast j k t 2) := Ast i k (append t 1 t 2) (union tag (f 1 f 2))... canonical empty struct (i : ctx) := Ast i i nil (empty tag empty)... canonical pts struct (hs : seq heap) (xs 1 xs 2 : seq ptr) (m : nat) (v : A) (f : xfind xs 1 xs 2 m) := Ast (hs, xs 1) (hs, xs 2) [Pts m v] (pts tag (f v))... canonical var struct (hs 1 hs 2 : seq heap) (xs : seq ptr) (n : nat) (f : xfind hs 1 hs 2 n) := Ast (hs 1, xs) (hs 2, xs) [Var n] (var tag f)... Figure 2. Structure ast for reflecting a heap. structure xtagged A := XTag {xuntag : A} extend tag A (x : A) := XTag x recurse tag A (x : A) := extend tag x canonical found tag A (x : A) := recurse tag x structure xfind A (s r : seq A) (i : nat) := XFind {elem of : xtagged A; : index r i = elem of...} canonical found struct A (x : A) (s : seq A) := XFind (x :: s) (x :: s) 0 (found tag x)... canonical recurse struct (i : nat) (y : A) (s r : seq A) (f : xfind s r i) := XFind (y :: s) (y :: r) (i + 1) (recurse tag f)... canonical extend struct A (x : A) := XFind nil [x] 0 (extend tag x)... Figure 3. Structure xfind for searching for an element in a list; appending the element at the end if not found. considerations apply in the case when we are reflecting a heap variable h. The instance is then var struct and we search in the heap portion of the context hs 1, producing a new heap portion hs 2. In both cases, the task of searching and extending the context is performed by the polymorphic structure xfind (Figure 3), which recurses over the context lists in search of an element, relying on unification to make syntactic comparisons between expressions. The inputs to the structure are the parameter s which is the sequence to search in, and the field elem of, which is the (tagged) element to search for. The output sequence r equals s if elem of is not in s, or extends s with elem of otherwise. The output parameter i is the position at which the elem of is found in r. 7

9 structure tagged heap := Tag {untag : heap} right tag (h : heap) := Tag h left tag h := right tag h canonical found tag h := left tag h structure partition (k r : heap) := Partition {heap of : tagged heap; : heap of = k r} canonical found struct k := Partition k empty (found tag k)... canonical left struct h r (f : Πk. partition k r) k := Partition k (r h) (left tag (f k h))... canonical right struct h r (f : Πk. partition k r) k := Partition k (h r) (right tag (h f k))... Figure 4. Structure partition for partitioning a heap into two parts: the part matching k, and the rest (r). The instances in Figure 4 are designed so that the canonical solution f will have the property that the heap component of f (x w) syntactically equals h, matching exactly the order and the parenthesization of the summands in h. We have three instance selectors: one for the case where we found the heap we are looking for, and two to recurse over each side of the. The reader may wonder why all the instances of partition take the k parameter last, thus forcing the f parameter in the latter two instances to be itself abstracted over k as well. The reason is simple. The last step in solving the above unification goal will be to unify?f (x w) with whatever canonical structure is ultimately computed. For example, if h = h 0 x w, then the last step of unification will resolve the following goal:?f (x w) = right struct h 0 empty found struct (x w). Coq s unification will reduce to subgoals involving the structural components of the applications:?f = right struct h 0 empty found struct and x w = x w, which are solved immediately. However, this only works because the k parameter of right struct comes last, thus making it possible to structurally match the occurrences of x w on the two sides of the equation. If k came earlier, the unification would simply fail. We have described how to construct the canonical solution f, but the mere construction is not sufficient to carry out the proof of bnd writer. For the proof, we further require an explicit invariant that f (x v) produces a heap in which the contents of x is changed to v, but everything else is unchanged when compared to f (x w). This is the role of the parameter r, which is constrained by the invariant in the definition of partition to equal the rest of the heap, that is h = k r. With this invariant in place, we can vary the parameter k from x w in the conclusion of bnd writer to x v in the premise. However, r remains fixed by the type of f, providing the guarantee that the only change to the heap was in the contents of x. It may be interesting to note that, while our code computes an f that syntactically matches the parentheses and the order of summands in h (as this is important for using the lemma in practice), the above invariant on h, k and r is in fact a semantic, not a syntactic, equality. In particular, it doesn t guarantee that h and k r are constructed from the same exact applications of and, since in HTT those are defined functions, not primitive constructors. Rather, it captures only equality up to commutativity, associativity and other semantic properties of heaps as partial maps. This suffices to prove bnd writer, but more to the point: the syntactic property, while true, cannot even be expressed in Coq s logic, precisely because it concerns the syntax and not the semantics of heap expressions. To conclude the section, notice that the premise and conclusion of bnd writer both contain projections out of f. Therefore, the lemma may be used both in forward reasoning (out of hypotheses) and in backward reasoning (for discharging a given goal). For example, we can prove the goal verify (bind (write x 2 4) e) (i 1 (x 1 1 x 2 2)) q under hypothesis in two ways: H : verify (e ()) (i 1 (x 1 1 x 2 4)) q Backward: By applying bnd writer to the goal. The goal will therefore be changed to exactly match H. Forward: By applying bnd writer (x := x 2) (w := 2) to the hypothesis H, thus obtaining the goal. Note how in this case we need to explicitly provide the instantiations of the parameters x and w because they cannot be gleaned just from looking at H. This kind of versatility is yet another advantage that lemmas based on canonical instances exhibit when compared to tactics. The latter, it seems, must be specialized to either forward or backward mode, and we have not managed to encode a tactic equivalent of bnd writer that is usable in both directions. 6. Reordering Unification Subproblems In this section we design an overloaded version of our original noalias lemma from Section 1. The main challenge, as it turns out, is ensuring that the unification constraints generated during canonical structure inference are resolved in the intended order. This is important because the postponing of a certain constraint may underspecify certain variables, leading the system to choose a wrong intermediate value that will eventually fail to satisfy the postponed constraint. In the case of noalias, the problem is that a naïve implementation will result in the triggering of a search for a pointer in a heap before we know what pointer we re searching for. Fortunately, it is possible to handle this problem very easily using an extremely simple design pattern we call hoisting. Before we come to explain the details of the problem and the pattern, let us first present the search structures that form the core of the automation for noalias and are shown in Figures 5 7. Given a heap h, and two pointers x and y, the algorithm for noalias proceeds in three steps: (1) scan h to compute the list of pointers s appearing in it, which must by well-definedness of h be a list of distinct pointers; (2) search through s until we find either x or y; (3) once we find one of the pointers, continue searching through the remainder of s for the other one. Step (1) is implemented by the scan structure in Figure 5. Like the ast structure from Section 4, scan returns its output using its parameter (here, s). It also outputs a proof that the pointers in s are all distinct (i.e., uniq s) and that they are all in the domain of the input heap, assuming it was well-defined. Step (2) is implemented by the search2 structure (named so because it is searches for two pointers, both taken as parameters to the structure). It produces a proof that x and y are both distinct members of the input list s, which will be passed in through unification 9

10 structure tagged heap := Tag {untag : heap} default tag (h : heap) := Tag h ptr tag h := default tag h canonical union tag h := ptr tag h structure scan (s : seq ptr) := Scan {heap of : tagged heap; : def heap of uniq s x. x s x dom heap of} canonical union struct s 1 s 2 (f 1 : scan s 1) (f 2 : scan s 2) := Scan (append s 1 s 2) (union tag (f 1 f 2))... canonical ptr struct A x (v : A) := Scan (x :: nil) (ptr tag (x v))... canonical default struct h := Scan nil (default tag h)... Figure 5. Structure scan for computing a list of pointers syntactically appearing in a heap. structure tagged seq2 := Tag2 {untag2 : seq ptr} foundz (s : seq ptr) := Tag2 s foundy s := foundz s canonical foundx s := foundy s structure search2 (x y : ptr) := Search2 {seq2 of : tagged seq2; : x seq2 of y seq2 of (uniq seq2 of x!= y)} canonical x struct x y (s 1 : search1 y) := Search2 x y (foundx (x :: s 1))... canonical y struct x y (s 1 : search1 x) := Search2 x y (foundy (y :: s 1))... canonical z struct x y z (s 2 : search2 x y) := Search2 x y (foundz (z :: s 2))... Figure 6. Structure search2 for finding two pointers in a list. structure tagged seq1 := Tag1 {untag1 : seq ptr} recurse tag (s : seq ptr) := Tag1 s canonical found tag s := recurse tag s structure search1 (x : ptr) := Search1 {seq1 of : tagged seq1; : x seq1 of} canonical found struct (x : ptr) (s : seq ptr) := Search1 x (found tag (x :: s))... canonical recurse struct (x y : ptr) (f : search1 x) := Seach1 x (recurse tag (y :: f))... Figure 7. Structure search1 for finding a pointer in a list. with the seq2 of projection. The search proceeds until either x or y is found, at which point the search1 structure (next paragraph) is invoked with the other pointer. Step (3) is implemented by the search1 structure, which searches for a single pointer x in the remaining piece of s, returning a proof of x s membership in s if it succeeds. Its implementation is quite similar to that of the find structure from Section 2.3. With our core automated machinery in hand, we are ready for our first (failed) attempt at an overloaded version of noalias: noaliasr wrong : x : ptr. s : seq ptr. f : scan s. g : check x s. def (untag (heap of f)) x!= unpack (y of g) The intuition behind the reformulation can be explained in programming terms. When the lemma is applied to a hypothesis D of type def h, the heap h will be unified with the projection untag (heap of f). This will trigger an inference problem in which the system solves for the canonical implementation of f by executing the scan algorithm, thus producing as output the pointer list s. For example, if h = i 1 (x 1 v 1 x 2 v 2) (i 2 x 3 v 3), then s will get unified with [x 1, x 2, x 3], so it can serve as a welldefined input to the search steps that follow. When the lemma is subsequently applied in order to solve a goal of the form x!= y, we need some way to get the unification with the conclusion of the lemma to trigger the automated search for x and y in the list s. Toward this end, we can use the unification with either x or y as the trigger for the search, and here we choose the latter. Specifically, we define a structure check, whose construction is keyed on a projection y of that will be unified with y : 3 structure packed ptr := Pack {unpack : ptr} canonical pack (z : ptr) := Pack z structure check (x : ptr) (s : seq ptr) := Check {y of : packed ptr; : uniq s x!= unpack y of} canonical start x y (s 2 : search2 x y) := Check x (untag2 (seq2 of s 2)) (pack y)... The sole purpose of the canonical instance start for the check structure is to take x and s, passed in as parameters, and y, passed in through unification with the y of projection, and repackage them appropriately in the form that the search2 structure expects. In particular, recall that search2 expects the two pointers to be passed in as parameters, and s to be unified with its seq2 of projection. Unfortunately, the linking structure we ve defined here doesn t quite work. The trouble has to do with the way in which Coq orders the subproblems that arise during canonical instance unification. Although a fully detailed presentation of the Coq unification algorithm is beyond the scope of this paper, the rule of thumb is that when matching against a canonical instance, Coq solves the unification subproblems in a left-to-right order that is, it first solves the unification subproblems corresponding to each of the structure parameters (in the case of check, the x and s parameters) and only then unifies the structure projections (like y of in this case). Thus, when matching against the start instance, what happens is the following. First, fresh unification variables are generated for the instance parameters?x,?y and?s 2. Then, three new unification subproblems are generated and solved in the following order, 3 The astute reader may notice that it is not actually necessary to tag (or in this case, pack) the y of projection of the check structure since we are only defining one canonical instance for the structure. We tag y of simply to minimize the delta required when we describe the hoisting pattern below. 10

11 corresponding to the arguments of Check:?x = x untag2(seq2 of?s 2) = s?y = y The problem is that the solution to the second equation will fire the search for a canonical solution for?s 2 of type search2 x?y thus triggering the search for x and?y in s before the third equation has unified?y with y. So we will end up searching s for an unknown?y, leading to the wrong behavior in most cases. The Pattern In order to fix our check structure, we need a way to arrange for?y to be unified with y before the search algorithm gets triggered on the pointer list s. The trick to doing this is to give check an extra parameter y, which will appear earlier than (i.e., to the left of) s in the parameter list, thus ensuring higher priority in the unification order. But we will also constrain that parameter y to be equal to the y of projection from the structure by (effectively) giving the projection a singleton type. We call this hoisting. To illustrate, here is how to change the packed ptr and check structures (and their instances) according to the hoisting pattern: structure equals ptr (z : ptr) := Pack {unpack : ptr} canonical equate (z : ptr) := Pack z z structure check (x y : ptr) (s : seq ptr) := Check {y of : equals ptr y; : uniq s x!= unpack y of} canonical start x y (s 2 : search2 x y) := Check x y (untag2 (seq2 of s 2)) (equate y)... The key here is the new version of packed ptr, which (for clarity) we call equals ptr, and which is now explicitly parameterized over a pointer z. The instance equate guarantees that the canonical value of type equals ptr z is a package containing z itself. We rely on this guarantee in the check structure, whose y of projection now has type equals ptr y, thus constraining it to be equal to check s new parameter y. We can now revise our statement of the overloaded noaliasr lemma ever so slightly to mention the new parameter y: noaliasr : x y : ptr. s : seq ptr. f : scan s. g : check x y s. def (untag (heap of f)) x!= unpack (y of g) As above, suppose that noaliasr has already been applied to a hypothesis D of type def h, so that the lemma s parameter s has already been solved for. Then, when noaliasr is applied to a goal x!= y, the unification engine will unify x with the argument?x of noaliasr, and proceed to unify unpack (y of?g) = y in a context where?g : check x?y s. Note that, although we have elided it, unpack here really takes as its first (implicit) argument the unknown pointer?y that is implied by equals ptr?y (the type of y of?g). Thus, by canonicity, the equation will be resolved with equate, and two new equations will be generated (in this order):?y = y y of?g = equate y The first unification is the essential one that needs to happen prior to triggering of the search procedure, so that all inputs to the search are known; the rest of unification then works as expected. Intuitively, the reason the equation between?y and y is generated first is because it arises from unifying the types of y of?g and equate y, which is necessary before one can unify the terms themselves. For a more formal explanation of canonical instance resolution, we refer the reader to our online appendix [11]. Finally, note the y that is shared between the parameter (y) and the projection (equate y) of the start instance. By hoisting y so that it appears before s in the argument list of Check, we have ensured that it will be unified with the y from the goal before the search through s begins. Applying the Lemma The overloaded noaliasr lemma supports a number of modes of use: it can be applied, used as a rewrite rule, or composed with other lemmas. For example, assume that we have a hypothesis specifying a disjointness of a number of heaps in a union: D : def (i 1 (x 1 v 1 x 2 v 2) (i 2 x 3 v 3)). Assume further that the arguments x, y, s, f and g of noaliasr are implicit, so that we can write simply (noaliasr D) when we want to partially instantiate the lemma with the hypothesis D. Then the following are some example goals, and proofs to discharge them, illustrating the flexibility of use. As can be seen, no tedious reordering of heap expressions by commutativity and associativity is needed. 1. The lemma can be used in backward reasoning. The type checker picks up x 1 and x 2 from the goal, and confirms they appear in D. Goal : x 1!= x 2 Proof : by apply : (noaliasr D). 2. The lemma can be used in iterated rewriting (notice the modifier! ). The lemma is partially instantiated with D. It performs the initial scan of D once, but is then used three times to reduce each conjunct to true. There is no need in the proof to specify the input pointers to be checked for aliasing. The type checker can pick them up from the goal, in the order in which they appear in the conjunction. Goal : (x 1!= x 2) && (x 2!= x 3) && (x 3!= x 1) Proof : by rewrite!(noaliasr D). 3. The lemma can be composed with other lemmas, to form new rewrite rules. Again, there is no need to provide the input pointers in the proofs. For example, given the standard library lemma negbte : b:bool.!b = true b = false, we have: Goal : if (x 2 == x 3) && (x 1!= x 2) then false else true Proof : by rewrite (negbte (noaliasr D)). 4. That said, we can provide the input pointers in several ways, if we wanted to, which would correspond to forward reasoning. We can use the term selection feature of rewrite to reduce only the specified conjunct in the goal. Goal : ((x 1!= x 2) && (x 2!= x 3)) = (x 1!= x 2) Proof : by rewrite [x 2!= x 3](noaliasR D) andbt. Here a rewrite by andbt : b. b && true = b is used to remove the true left in the goal after rewriting by noaliasr. 5. Or, we can supply one (or both) of the pointer arguments directly to noaliasr. Goal : ((x 1!= x 2) && (x 2!= x 3)) = (x 1!= x 2) Proof : by rewrite (noaliasr (x := x 2) D) andbt. Goal : ((x 1!= x 2) && (x 2!= x 3)) = (x 1!= x 2) Proof : by rewrite (noaliasr (y := x 3) D) andbt. 11

JFP 23 (4): 357 401, 2013. c Cambridge University Press 2013 doi:10.1017/s0956796813000051 357 How to make ad hoc proof automation less ad hoc GEORGES GONTHIER Microsoft Research, Cambridge, United Kingdom

### [Refer Slide Time: 05:10]

Principles of Programming Languages Prof: S. Arun Kumar Department of Computer Science and Engineering Indian Institute of Technology Delhi Lecture no 7 Lecture Title: Syntactic Classes Welcome to lecture

### CHAPTER 7 GENERAL PROOF SYSTEMS

CHAPTER 7 GENERAL PROOF SYSTEMS 1 Introduction Proof systems are built to prove statements. They can be thought as an inference machine with special statements, called provable statements, or sometimes

### Deterministic Discrete Modeling

Deterministic Discrete Modeling Formal Semantics of Firewalls in Isabelle/HOL Cornelius Diekmann, M.Sc. Dr. Heiko Niedermayer Prof. Dr.-Ing. Georg Carle Lehrstuhl für Netzarchitekturen und Netzdienste

### CIS 500 Software Foundations Midterm I. Answer key. October 10, 2007

CIS 500 Software Foundations Midterm I Answer key October 10, 2007 Functional Programming 1. (2 points) Consider the following Fixpoint definition in Coq. Fixpoint zip (X Y : Set) (lx : list X) (ly : list

### WHAT ARE MATHEMATICAL PROOFS AND WHY THEY ARE IMPORTANT?

WHAT ARE MATHEMATICAL PROOFS AND WHY THEY ARE IMPORTANT? introduction Many students seem to have trouble with the notion of a mathematical proof. People that come to a course like Math 216, who certainly

### New Generation of Software Development

New Generation of Software Development Terry Hon University of British Columbia 201-2366 Main Mall Vancouver B.C. V6T 1Z4 tyehon@cs.ubc.ca ABSTRACT In this paper, I present a picture of what software development

### OPERATIONAL TYPE THEORY by Adam Petcher Prepared under the direction of Professor Aaron Stump A thesis presented to the School of Engineering of

WASHINGTON NIVERSITY SCHOOL OF ENGINEERING AND APPLIED SCIENCE DEPARTMENT OF COMPTER SCIENCE AND ENGINEERING DECIDING JOINABILITY MODLO GROND EQATIONS IN OPERATIONAL TYPE THEORY by Adam Petcher Prepared

### Chapter 7: Functional Programming Languages

Chapter 7: Functional Programming Languages Aarne Ranta Slides for the book Implementing Programming Languages. An Introduction to Compilers and Interpreters, College Publications, 2012. Fun: a language

### Chapter II. Controlling Cars on a Bridge

Chapter II. Controlling Cars on a Bridge 1 Introduction The intent of this chapter is to introduce a complete example of a small system development. During this development, you will be made aware of the

### 2. Methods of Proof Types of Proofs. Suppose we wish to prove an implication p q. Here are some strategies we have available to try.

2. METHODS OF PROOF 69 2. Methods of Proof 2.1. Types of Proofs. Suppose we wish to prove an implication p q. Here are some strategies we have available to try. Trivial Proof: If we know q is true then

### Parametric Domain-theoretic models of Linear Abadi & Plotkin Logic

Parametric Domain-theoretic models of Linear Abadi & Plotkin Logic Lars Birkedal Rasmus Ejlers Møgelberg Rasmus Lerchedahl Petersen IT University Technical Report Series TR-00-7 ISSN 600 600 February 00

### Simulation-Based Security with Inexhaustible Interactive Turing Machines

Simulation-Based Security with Inexhaustible Interactive Turing Machines Ralf Küsters Institut für Informatik Christian-Albrechts-Universität zu Kiel 24098 Kiel, Germany kuesters@ti.informatik.uni-kiel.de

### Automated Theorem Proving - summary of lecture 1

Automated Theorem Proving - summary of lecture 1 1 Introduction Automated Theorem Proving (ATP) deals with the development of computer programs that show that some statement is a logical consequence of

### The Trip Scheduling Problem

The Trip Scheduling Problem Claudia Archetti Department of Quantitative Methods, University of Brescia Contrada Santa Chiara 50, 25122 Brescia, Italy Martin Savelsbergh School of Industrial and Systems

### 1. R In this and the next section we are going to study the properties of sequences of real numbers.

+a 1. R In this and the next section we are going to study the properties of sequences of real numbers. Definition 1.1. (Sequence) A sequence is a function with domain N. Example 1.2. A sequence of real

### Chapter 3. Cartesian Products and Relations. 3.1 Cartesian Products

Chapter 3 Cartesian Products and Relations The material in this chapter is the first real encounter with abstraction. Relations are very general thing they are a special type of subset. After introducing

### (Refer Slide Time: 1:41)

Discrete Mathematical Structures Dr. Kamala Krithivasan Department of Computer Science and Engineering Indian Institute of Technology, Madras Lecture # 10 Sets Today we shall learn about sets. You must

### MAT2400 Analysis I. A brief introduction to proofs, sets, and functions

MAT2400 Analysis I A brief introduction to proofs, sets, and functions In Analysis I there is a lot of manipulations with sets and functions. It is probably also the first course where you have to take

### Verifying security protocols using theorem provers

1562 2007 79-86 79 Verifying security protocols using theorem provers Miki Tanaka National Institute of Information and Communications Technology Koganei, Tokyo 184-8795, Japan Email: miki.tanaka@nict.go.jp

### Rigorous Software Development CSCI-GA 3033-009

Rigorous Software Development CSCI-GA 3033-009 Instructor: Thomas Wies Spring 2013 Lecture 11 Semantics of Programming Languages Denotational Semantics Meaning of a program is defined as the mathematical

### A Framework for the Semantics of Behavioral Contracts

A Framework for the Semantics of Behavioral Contracts Ashley McNeile Metamaxim Ltd, 48 Brunswick Gardens, London W8 4AN, UK ashley.mcneile@metamaxim.com Abstract. Contracts have proved a powerful concept

### Basic building blocks for a triple-double intermediate format

Basic building blocks for a triple-double intermediate format corrected version) Christoph Quirin Lauter February 26, 2009 Abstract The implementation of correctly rounded elementary functions needs high

### COMP 250 Fall Mathematical induction Sept. 26, (n 1) + n = n + (n 1)

COMP 50 Fall 016 9 - Mathematical induction Sept 6, 016 You will see many examples in this course and upcoming courses of algorithms for solving various problems It many cases, it will be obvious that

### Moving from CS 61A Scheme to CS 61B Java

Moving from CS 61A Scheme to CS 61B Java Introduction Java is an object-oriented language. This document describes some of the differences between object-oriented programming in Scheme (which we hope you

### POLYTYPIC PROGRAMMING OR: Programming Language Theory is Helpful

POLYTYPIC PROGRAMMING OR: Programming Language Theory is Helpful RALF HINZE Institute of Information and Computing Sciences Utrecht University Email: ralf@cs.uu.nl Homepage: http://www.cs.uu.nl/~ralf/

### Information Theory and Coding Prof. S. N. Merchant Department of Electrical Engineering Indian Institute of Technology, Bombay

Information Theory and Coding Prof. S. N. Merchant Department of Electrical Engineering Indian Institute of Technology, Bombay Lecture - 17 Shannon-Fano-Elias Coding and Introduction to Arithmetic Coding

### 2. Compressing data to reduce the amount of transmitted data (e.g., to save money).

Presentation Layer The presentation layer is concerned with preserving the meaning of information sent across a network. The presentation layer may represent (encode) the data in various ways (e.g., data

### Towards a Framework for Generating Tests to Satisfy Complex Code Coverage in Java Pathfinder

Towards a Framework for Generating Tests to Satisfy Complex Code Coverage in Java Pathfinder Matt Department of Computer Science and Engineering University of Minnesota staats@cs.umn.edu Abstract We present

### Students in their first advanced mathematics classes are often surprised

CHAPTER 8 Proofs Involving Sets Students in their first advanced mathematics classes are often surprised by the extensive role that sets play and by the fact that most of the proofs they encounter are

### Termination Checking: Comparing Structural Recursion and Sized Types by Examples

Termination Checking: Comparing Structural Recursion and Sized Types by Examples David Thibodeau Decemer 3, 2011 Abstract Termination is an important property for programs and is necessary for formal proofs

### It is time to prove some theorems. There are various strategies for doing

CHAPTER 4 Direct Proof It is time to prove some theorems. There are various strategies for doing this; we now examine the most straightforward approach, a technique called direct proof. As we begin, it

### CHAPTER 2. Logic. 1. Logic Definitions. Notation: Variables are used to represent propositions. The most common variables used are p, q, and r.

CHAPTER 2 Logic 1. Logic Definitions 1.1. Propositions. Definition 1.1.1. A proposition is a declarative sentence that is either true (denoted either T or 1) or false (denoted either F or 0). Notation:

### Prime Numbers. Chapter Primes and Composites

Chapter 2 Prime Numbers The term factoring or factorization refers to the process of expressing an integer as the product of two or more integers in a nontrivial way, e.g., 42 = 6 7. Prime numbers are

### Introducing Formal Methods. Software Engineering and Formal Methods

Introducing Formal Methods Formal Methods for Software Specification and Analysis: An Overview 1 Software Engineering and Formal Methods Every Software engineering methodology is based on a recommended

### Regular Expressions and Automata using Haskell

Regular Expressions and Automata using Haskell Simon Thompson Computing Laboratory University of Kent at Canterbury January 2000 Contents 1 Introduction 2 2 Regular Expressions 2 3 Matching regular expressions

### Specification and Analysis of Contracts Lecture 1 Introduction

Specification and Analysis of Contracts Lecture 1 Introduction Gerardo Schneider gerardo@ifi.uio.no http://folk.uio.no/gerardo/ Department of Informatics, University of Oslo SEFM School, Oct. 27 - Nov.

### Product types are finite labeled products of types. They are a generalization of cartesian product. Elements of product types are called records.

Chapter 6 User-defined types The user is allowed to define his/her own data types. With this facility, there is no need to encode the data structures that must be manipulated by a program into lists (as

### Theory of Computation Lecture Notes

Theory of Computation Lecture Notes Abhijat Vichare August 2005 Contents 1 Introduction 2 What is Computation? 3 The λ Calculus 3.1 Conversions: 3.2 The calculus in use 3.3 Few Important Theorems 3.4 Worked

### CHAPTER II THE LIMIT OF A SEQUENCE OF NUMBERS DEFINITION OF THE NUMBER e.

CHAPTER II THE LIMIT OF A SEQUENCE OF NUMBERS DEFINITION OF THE NUMBER e. This chapter contains the beginnings of the most important, and probably the most subtle, notion in mathematical analysis, i.e.,

### Type Classes with Functional Dependencies

Appears in Proceedings of the 9th European Symposium on Programming, ESOP 2000, Berlin, Germany, March 2000, Springer-Verlag LNCS 1782. Type Classes with Functional Dependencies Mark P. Jones Department

### Factoring & Primality

Factoring & Primality Lecturer: Dimitris Papadopoulos In this lecture we will discuss the problem of integer factorization and primality testing, two problems that have been the focus of a great amount

### The LCA Problem Revisited

The LA Problem Revisited Michael A. Bender Martín Farach-olton SUNY Stony Brook Rutgers University May 16, 2000 Abstract We present a very simple algorithm for the Least ommon Ancestor problem. We thus

### Likewise, we have contradictions: formulas that can only be false, e.g. (p p).

CHAPTER 4. STATEMENT LOGIC 59 The rightmost column of this truth table contains instances of T and instances of F. Notice that there are no degrees of contingency. If both values are possible, the formula

### 3. Mathematical Induction

3. MATHEMATICAL INDUCTION 83 3. Mathematical Induction 3.1. First Principle of Mathematical Induction. Let P (n) be a predicate with domain of discourse (over) the natural numbers N = {0, 1,,...}. If (1)

### A Semantical Perspective on Verification of Knowledge

A Semantical Perspective on Verification of Knowledge Paul Leemans, Jan Treur, Mark Willems Vrije Universiteit Amsterdam, Department of Artificial Intelligence De Boelelaan 1081a, 1081 HV Amsterdam The

### Glossary of Object Oriented Terms

Appendix E Glossary of Object Oriented Terms abstract class: A class primarily intended to define an instance, but can not be instantiated without additional methods. abstract data type: An abstraction

### Testing LTL Formula Translation into Büchi Automata

Testing LTL Formula Translation into Büchi Automata Heikki Tauriainen and Keijo Heljanko Helsinki University of Technology, Laboratory for Theoretical Computer Science, P. O. Box 5400, FIN-02015 HUT, Finland

### Interactive Software Verification

Interactive Software Verification Spring Term 2013 Holger Gast gasth@in.tum.de 25.6.2013 1 H.Gast gasth@in.tum.de Interactive Software Verification, 25.6.2013 Today Manipulating lists on the heap Ghost

### 11 Ideals. 11.1 Revisiting Z

11 Ideals The presentation here is somewhat different than the text. In particular, the sections do not match up. We have seen issues with the failure of unique factorization already, e.g., Z[ 5] = O Q(

### Mathematics for Computer Science/Software Engineering. Notes for the course MSM1F3 Dr. R. A. Wilson

Mathematics for Computer Science/Software Engineering Notes for the course MSM1F3 Dr. R. A. Wilson October 1996 Chapter 1 Logic Lecture no. 1. We introduce the concept of a proposition, which is a statement

### Chapter 5 Names, Bindings, Type Checking, and Scopes

Chapter 5 Names, Bindings, Type Checking, and Scopes Chapter 5 Topics Introduction Names Variables The Concept of Binding Type Checking Strong Typing Scope Scope and Lifetime Referencing Environments Named

### Relations: their uses in programming and computational specifications

PEPS Relations, 15 December 2008 1/27 Relations: their uses in programming and computational specifications Dale Miller INRIA - Saclay & LIX, Ecole Polytechnique 1. Logic and computation Outline 2. Comparing

### Semantic Analysis: Types and Type Checking

Semantic Analysis Semantic Analysis: Types and Type Checking CS 471 October 10, 2007 Source code Lexical Analysis tokens Syntactic Analysis AST Semantic Analysis AST Intermediate Code Gen lexical errors

### Sets and functions. {x R : x > 0}.

Sets and functions 1 Sets The language of sets and functions pervades mathematics, and most of the important operations in mathematics turn out to be functions or to be expressible in terms of functions.

### Fundamentals of Mathematics Lecture 6: Propositional Logic

Fundamentals of Mathematics Lecture 6: Propositional Logic Guan-Shieng Huang National Chi Nan University, Taiwan Spring, 2008 1 / 39 Connectives Propositional Connectives I 1 Negation: (not A) A A T F

### COLORED GRAPHS AND THEIR PROPERTIES

COLORED GRAPHS AND THEIR PROPERTIES BEN STEVENS 1. Introduction This paper is concerned with the upper bound on the chromatic number for graphs of maximum vertex degree under three different sets of coloring

### Verifying Specifications with Proof Scores in CafeOBJ

Verifying Specifications with Proof Scores in CafeOBJ FUTATSUGI, Kokichi 二 木 厚 吉 Chair of Language Design Graduate School of Information Science Japan Advanced Institute of Science and Technology (JAIST)

### Concepts and terminology in the Simula Programming Language

Concepts and terminology in the Simula Programming Language An introduction for new readers of Simula literature Stein Krogdahl Department of Informatics University of Oslo, Norway April 2010 Introduction

### Module 10. Coding and Testing. Version 2 CSE IIT, Kharagpur

Module 10 Coding and Testing Lesson 23 Code Review Specific Instructional Objectives At the end of this lesson the student would be able to: Identify the necessity of coding standards. Differentiate between

### Theory of Computation Prof. Kamala Krithivasan Department of Computer Science and Engineering Indian Institute of Technology, Madras

Theory of Computation Prof. Kamala Krithivasan Department of Computer Science and Engineering Indian Institute of Technology, Madras Lecture No. # 31 Recursive Sets, Recursively Innumerable Sets, Encoding

### The PCAT Programming Language Reference Manual

The PCAT Programming Language Reference Manual Andrew Tolmach and Jingke Li Dept. of Computer Science Portland State University (revised October 8, 2004) 1 Introduction The PCAT language (Pascal Clone

### CS510 Software Engineering

CS510 Software Engineering Propositional Logic Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Scott A. Carr Slides inspired by Xiangyu Zhang http://nebelwelt.net/teaching/15-cs510-se

### Software Engineering

Software Engineering Lecture 04: The B Specification Method Peter Thiemann University of Freiburg, Germany SS 2013 Peter Thiemann (Univ. Freiburg) Software Engineering SWT 1 / 50 The B specification method

### ORDERS OF ELEMENTS IN A GROUP

ORDERS OF ELEMENTS IN A GROUP KEITH CONRAD 1. Introduction Let G be a group and g G. We say g has finite order if g n = e for some positive integer n. For example, 1 and i have finite order in C, since

### Coverability for Parallel Programs

2015 http://excel.fit.vutbr.cz Coverability for Parallel Programs Lenka Turoňová* Abstract We improve existing method for the automatic verification of systems with parallel running processes. The technique

### Elementary Number Theory We begin with a bit of elementary number theory, which is concerned

CONSTRUCTION OF THE FINITE FIELDS Z p S. R. DOTY Elementary Number Theory We begin with a bit of elementary number theory, which is concerned solely with questions about the set of integers Z = {0, ±1,

### Mathematical Induction

Mathematical Induction In logic, we often want to prove that every member of an infinite set has some feature. E.g., we would like to show: N 1 : is a number 1 : has the feature Φ ( x)(n 1 x! 1 x) How

Computing and Informatics, Vol. 20, 2001,????, V 2006-Nov-6 UPDATES OF LOGIC PROGRAMS Ján Šefránek Department of Applied Informatics, Faculty of Mathematics, Physics and Informatics, Comenius University,

### + addition - subtraction and unary minus * multiplication / division mod modulo

Chapter 4 Basic types We examine in this chapter the Caml basic types. 4.1 Numbers Caml Light provides two numeric types: integers (type int) and floating-point numbers (type float). Integers are limited

### Mathematical Induction

Mathematical Induction (Handout March 8, 01) The Principle of Mathematical Induction provides a means to prove infinitely many statements all at once The principle is logical rather than strictly mathematical,

### 05 Case Study: C Programming Language

CS 2SC3 and SE 2S03 Fall 2009 05 Case Study: C Programming Language William M. Farmer Department of Computing and Software McMaster University 18 November 2009 The C Programming Language Developed by Dennis

### InvGen: An Efficient Invariant Generator

InvGen: An Efficient Invariant Generator Ashutosh Gupta and Andrey Rybalchenko Max Planck Institute for Software Systems (MPI-SWS) Abstract. In this paper we present InvGen, an automatic linear arithmetic

### The Epsilon-Delta Limit Definition:

The Epsilon-Delta Limit Definition: A Few Examples Nick Rauh 1. Prove that lim x a x 2 = a 2. (Since we leave a arbitrary, this is the same as showing x 2 is continuous.) Proof: Let > 0. We wish to find

### 2. Propositional Equivalences

2. PROPOSITIONAL EQUIVALENCES 33 2. Propositional Equivalences 2.1. Tautology/Contradiction/Contingency. Definition 2.1.1. A tautology is a proposition that is always true. Example 2.1.1. p p Definition

### 2. Basic Relational Data Model

2. Basic Relational Data Model 2.1 Introduction Basic concepts of information models, their realisation in databases comprising data objects and object relationships, and their management by DBMS s that

### Mathematical induction

Mathematical induction If we want to prove that P n holds for for all natural numbers n, we can do the following twostep rocket called mathematical induction: 1. Prove that P 0 holds 2. Prove that if P

### Induction. Margaret M. Fleck. 10 October These notes cover mathematical induction and recursive definition

Induction Margaret M. Fleck 10 October 011 These notes cover mathematical induction and recursive definition 1 Introduction to induction At the start of the term, we saw the following formula for computing

### Describing, manipulating and pricing financial contracts: The MLFi language

Describing, manipulating and pricing financial contracts: The MLFi language Centre for Financial Research, Judge Institute of Management Cambridge, 14 March 2003 (revised January 2005) Jean-Marc Eber LexiFi,

### FOUNDATIONS OF ALGEBRAIC GEOMETRY CLASS 22

FOUNDATIONS OF ALGEBRAIC GEOMETRY CLASS 22 RAVI VAKIL CONTENTS 1. Discrete valuation rings: Dimension 1 Noetherian regular local rings 1 Last day, we discussed the Zariski tangent space, and saw that it

### 13 Infinite Sets. 13.1 Injections, Surjections, and Bijections. mcs-ftl 2010/9/8 0:40 page 379 #385

mcs-ftl 2010/9/8 0:40 page 379 #385 13 Infinite Sets So you might be wondering how much is there to say about an infinite set other than, well, it has an infinite number of elements. Of course, an infinite

### Stochastic Inventory Control

Chapter 3 Stochastic Inventory Control 1 In this chapter, we consider in much greater details certain dynamic inventory control problems of the type already encountered in section 1.3. In addition to the

### Revised Version of Chapter 23. We learned long ago how to solve linear congruences. ax c (mod m)

Chapter 23 Squares Modulo p Revised Version of Chapter 23 We learned long ago how to solve linear congruences ax c (mod m) (see Chapter 8). It s now time to take the plunge and move on to quadratic equations.

### Chapter 1 LOGIC AND PROOF

Chapter 1 LOGIC AND PROOF To be able to understand mathematics and mathematical arguments, it is necessary to have a solid understanding of logic and the way in which known facts can be combined to prove

### Compiler Design. Type Checking

Compiler Design Type Checking Static Checking Token Stream Parser Abstract Syntax Tree Static Checker Decorated Abstract Syntax Tree Intermediate Code Generator Intermediate Code Static (Semantic) Checks

### Chapter 4 Software Lifecycle and Performance Analysis

Chapter 4 Software Lifecycle and Performance Analysis This chapter is aimed at illustrating performance modeling and analysis issues within the software lifecycle. After having introduced software and

### Extraction of certified programs with effects from proofs with monadic types in Coq

Extraction of certified programs with effects from proofs with monadic types in Coq Marino Miculan 1 and Marco Paviotti 2 1 Dept. of Mathematics and Computer Science, University of Udine, Italy 2 IT University

### Formal Engineering for Industrial Software Development

Shaoying Liu Formal Engineering for Industrial Software Development Using the SOFL Method With 90 Figures and 30 Tables Springer Contents Introduction 1 1.1 Software Life Cycle... 2 1.2 The Problem 4 1.3

### KNOWLEDGE FACTORING USING NORMALIZATION THEORY

KNOWLEDGE FACTORING USING NORMALIZATION THEORY J. VANTHIENEN M. SNOECK Katholieke Universiteit Leuven Department of Applied Economic Sciences Dekenstraat 2, 3000 Leuven (Belgium) tel. (+32) 16 28 58 09

### 1 Construction of CCA-secure encryption

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

### Local periods and binary partial words: An algorithm

Local periods and binary partial words: An algorithm F. Blanchet-Sadri and Ajay Chriscoe Department of Mathematical Sciences University of North Carolina P.O. Box 26170 Greensboro, NC 27402 6170, USA E-mail:

### Storage Allocation in Typed Languages

Storage Allocation in Typed Languages Butler W. Lampson Xerox Corporation Palo Alto Research Center Appeared in Proc. 5th Ann. III Conf: Implementation and Design of Algorithmic Languages, Guidel, France,

### 2.1.1 Examples of Sets and their Elements

Chapter 2 Set Theory 2.1 Sets The most basic object in Mathematics is called a set. As rudimentary as it is, the exact, formal definition of a set is highly complex. For our purposes, we will simply define

### Journal of Functional Programming, volume 3 number 4, 1993. Dynamics in ML

Journal of Functional Programming, volume 3 number 4, 1993. Dynamics in ML Xavier Leroy École Normale Supérieure Michel Mauny INRIA Rocquencourt Abstract Objects with dynamic types allow the integration

### ML for the Working Programmer

ML for the Working Programmer 2nd edition Lawrence C. Paulson University of Cambridge CAMBRIDGE UNIVERSITY PRESS CONTENTS Preface to the Second Edition Preface xiii xv 1 Standard ML 1 Functional Programming

### Algorithms and Data Structures

Algorithms and Data Structures Part 2: Data Structures PD Dr. rer. nat. habil. Ralf-Peter Mundani Computation in Engineering (CiE) Summer Term 2016 Overview general linked lists stacks queues trees 2 2

### CHAPTER 3 Numbers and Numeral Systems

CHAPTER 3 Numbers and Numeral Systems Numbers play an important role in almost all areas of mathematics, not least in calculus. Virtually all calculus books contain a thorough description of the natural,