rc: comparison Paper.thy

equal deleted inserted replaced

-:fb962189e921
+:dd1499f296ea
 exists ("alive") and
 default_fd_create_type ("default'_type") and
 InheritParent_file_type ("InheritPatentType") and
 NormalFile_type ("NormalFileType") and
 deleted ("deleted _ _" [50, 100] 100) and
-taintable_s ("taintable\<^isup>s") and
+taintable_s ("taintable\<^sup>s") and
-tainted_s ("tainted\<^isup>s") and
+tainted_s ("tainted\<^sup>s") and
-all_sobjs ("reachable\<^isup>s") and
+all_sobjs ("reachable\<^sup>s") and
 init_obj2sobj ("\<lbrakk>_\<rbrakk>") and
 erole_functor ("erole'_aux") --"I have a erole_functor and etype_aux to handle
 efficient, but their name not same, so ..., but don't work"
 hope for a meaningful check by just trying out all possible
 valid states in our dynamic model. The reason is that there are
 potentially infinitely many of them and therefore the search space would be
 infinite.  For example starting from an
 initial state containing a process @{text p} and a file @{text pf},
-we can create files @{text "f\<^isub>1"}, @{text "f\<^isub>2"}, @{text "..."}
+we can create files @{text "f\<^sub>1"}, @{text "f\<^sub>2"}, @{text "..."}
 via @{text "CreateFile"}-events. This can be pictured roughly as follows:
 \begin{center}
 \begin{tabular}[t]{c@ {\hspace{-8mm}}c@ {\hspace{-8mm}}c@ {\hspace{-8mm}}c@ {\hspace{-8mm}}cc}
 \begin{tabular}[t]{c}
 @{term "{p, pf}"}
 \end{tabular} &
 \begin{tabular}[t]{c}
 \\
 @{text "\<Longrightarrow>"}\\[2mm]
-{\small@{term "CreateFile p (f\<^isub>1#pf)"}}
+{\small@{term "CreateFile p (f\<^sub>1#pf)"}}
 \end{tabular}
 &
 \begin{tabular}[t]{c}
 \\
-@{term "{p, pf, f\<^isub>1#pf}"}
+@{term "{p, pf, f\<^sub>1#pf}"}
 \end{tabular}
 &
 \begin{tabular}[t]{c}
 \\
 @{text "\<Longrightarrow>"}\\[2mm]
-{\small@{term "CreateFile p (f\<^isub>2#f\<^isub>1#pf)"}}
+{\small@{term "CreateFile p (f\<^sub>2#f\<^sub>1#pf)"}}
 \end{tabular}
 &
 \begin{tabular}[t]{c}
 \\
-@{term "{p, pf, f\<^isub>1#pf, f\<^isub>2#f\<^isub>1#pf}"}
+@{term "{p, pf, f\<^sub>1#pf, f\<^sub>2#f\<^sub>1#pf}"}
 \end{tabular} &
 \begin{tabular}[t]{c}
 \\
 @{text "..."}\\
 \end{tabular}
 The crucial difference between between the ``dynamic'' notion of validity
 and the ``static'' notion of @{term "all_sobjs"}
 is that there can be infinitely many valid states, but assuming the initial
 state contains only finitely many objects, then also @{term "all_sobjs"} will
 be finite. To see the difference, consider the infinite ``chain'' of events
-just cloning a process @{text "p\<^isub>0"}:
+just cloning a process @{text "p\<^sub>0"}:
 \begin{center}
 \begin{tabular}[t]{c@ {\hspace{-2mm}}c@ {\hspace{-2mm}}c@ {\hspace{-2mm}}c@ {\hspace{-2mm}}cc}
 \begin{tabular}[t]{c}
 Initial state:\\
-@{term "{p\<^isub>0}"}
+@{term "{p\<^sub>0}"}
 \end{tabular} &
 \begin{tabular}[t]{c}
 \\
 @{text "\<Longrightarrow>"}\\[2mm]
-{\small@{term "Clone p\<^isub>0 p\<^isub>1"}}
+{\small@{term "Clone p\<^sub>0 p\<^sub>1"}}
 \end{tabular}
 &
 \begin{tabular}[t]{c}
 \\
-@{term "{p\<^isub>0, p\<^isub>1}"}
+@{term "{p\<^sub>0, p\<^sub>1}"}
 \end{tabular}
 &
 \begin{tabular}[t]{c}
 \\
 @{text "\<Longrightarrow>"}\\[2mm]
-{\small@{term "Clone p\<^isub>0 p\<^isub>2"}}
+{\small@{term "Clone p\<^sub>0 p\<^sub>2"}}
 \end{tabular}
 &
 \begin{tabular}[t]{c}
 \\
-@{term "{p\<^isub>0, p\<^isub>1, p\<^isub>2}"}
+@{term "{p\<^sub>0, p\<^sub>1, p\<^sub>2}"}
 \end{tabular} &
 \begin{tabular}[t]{c}
 \\
 @{text "..."}\\
 \end{tabular}
 The corresponding reachable objects are
 \begin{center}
 \begin{tabular}[t]{cccc}
 \begin{tabular}[t]{c}
-@{text "{P(r, dr, t, u)\<^bsup>Some (p\<^isub>0)\<^esup>}"}
+@{text "{P(r, dr, t, u)\<^bsup>Some (p\<^sub>0)\<^esup>}"}
 \end{tabular} &
 \begin{tabular}[t]{c}
 @{text "\<Longrightarrow>"}
 \end{tabular}
 &
 \begin{tabular}[t]{c}
-@{text "{P(r, dr, t, u)\<^bsup>Some (p\<^isub>0)\<^esup>, P(r, dr, t, u)\<^bsup>None\<^esup>}"}
+@{text "{P(r, dr, t, u)\<^bsup>Some (p\<^sub>0)\<^esup>, P(r, dr, t, u)\<^bsup>None\<^esup>}"}
 \end{tabular}
 \end{tabular}
 \end{center}
 \noindent
 where no further progress can be made because the information
-recorded about @{text "p\<^isub>2"}, @{text "p\<^isub>3"} and so on is just the same
+recorded about @{text "p\<^sub>2"}, @{text "p\<^sub>3"} and so on is just the same
-as for @{text "p\<^isub>1"}, namely @{text "P(r, dr, t, u)\<^bsup>None\<^esup>"}.  Indeed we
+as for @{text "p\<^sub>1"}, namely @{text "P(r, dr, t, u)\<^bsup>None\<^esup>"}.  Indeed we
 can prove the lemma:
 \begin{lemma}\label{finite}
 If @{text "finite init"}, then @{term "finite all_sobjs"}.
 \end{lemma}
 We omit the remaining rules for executing a file, cloning a process and
 rules involving IPCs, which are similar. A simple consequence of our definitions
 is that every tainted object is also reachable:
 \begin{lemma}
-@{text "tainted\<^isup>s \<subseteq> reachable\<^isup>s"}
+@{text "tainted\<^sup>s \<subseteq> reachable\<^sup>s"}
 \end{lemma}
 \noindent
 which in turn means that the set of @{term "tainted_s"} items is finite by Lemma~\ref{finite}.
 Using this function, we can define when an object is @{term taintable_s} in terms of
 an item being @{term tainted_s}, namely
 \begin{isabelle}\ \ \ \ \ %%%
 \mbox{\begin{tabular}{lcl}
-@{thm (lhs) taintable_s_def} & @{text "\<equiv>"} & @{text "\<exists>item. item \<in> tainted\<^isup>s \<and> |item| = Some obj"}
+@{thm (lhs) taintable_s_def} & @{text "\<equiv>"} & @{text "\<exists>item. item \<in> tainted\<^sup>s \<and> |item| = Some obj"}
 \end{tabular}}
 \end{isabelle}
 \noindent
 Note that @{term taintable_s} is only about objects that are present in

changeset 13	dd1499f296ea
parent 11	31d3d2b3f6b0
child 14	d43f46423298