> Reviewer #1: This paper demonstrates that a) the Myhill-Nerode theorem can be

> proved without relying on the notion of automata and b) argues

> shallowly thorough the paper that not having to formalize the notion

> of automata is easier.

> 

> While I do agree that point a) is a an interesting theoretical

> contribution that deserves publication, I disagree with the second

> argument.

We are very grateful to the reviewer deciding the paper is a worthy 

contribution. We are especially grateful since this opinion is despite 

disagreement with parts of the paper. Thank you very much!

> It should be noted that the handling of the notion of automata has

> been difficult historically for two reasons. On the one hand, giving

> an identifier to every state of an automata indeed yields proofs that

> may be characterized as "clunky" (even if the wording is a bit

> strong), but is a necessary condition for efficient implementation of

> automata algorithms. This yields sizable formalizations as is

> demonstrated by the Lammich and Tuerk's work or Braibant and Pous's

> work [1]. On the other hand, it seems to be the case that the

> "principle of definition" in HOL makes it impossible to use parametric

> definitions of automata (but there is no problem with such a

> definition in Coq).

We agree with this summary. We cited the work by Doczal et al and wrote 

that their quantification over types is not available to us. 

   Systems such as Coq permit quantification over types and thus can 

   state such a definition. This has been recently exploited in an elegant 

   and short formalisation of the Myhill-Nerode theorem in Coq by Doczkal 

   et al. (2013), but as said this is not available to us working in 

   Isabelle/HOL.

> But, the startup cost of a formalization depends on the scope of what

> one intends to formalize. Perhaps Braibant concedes that your

> development is more concise that his, yet Braibant's work dealt with

> the formalization of an _efficient_ decision procedure for Kleene

> algebras that required _two_ formalizations of automata (the matrices

> are only used in the proof of correctness of this decision procedure,

> while the computational part uses efficient representations for DAGs

> -- see for instance [1] p. 21 or Braibant's thesis p. 49). I am only

> adding emphasis here to demonstrate that this does not compare easily

> with the formalization of the proof of Myhill-Nerode by itself.

We have attempted to not touch upon efficiency and algorithmic issues, since 

they are an distraction for our topic at hand, that is reasoning about inductive

structures, of which regular expressions are one instance. If you use more

efficient datastructures, then it is expected that reasoning will be

more difficult. The point of the paper is to prove the Myhill-Nerode theorem

with only inductive structures, which are well-supported in all interactive 

theorem provers we are aware off. 

> (At this point, let me comment on your answer: "As far as we know

> Braibant also uses ssreflect".  It is not the case. One may wonder to

> what extent the use of ssreflect there could have alleviated the

> "intrinsic difficulties of working with rectangular matrices".)

Noted. We will not make this claim and have not done so in the paper.

> In the same fashion, Lammich and Tuerk's work uses efficient

> data-structures (.e.g, for collections, automatas), and some amount of

> data-refinement to link various representations together. 

Please note that the 14 kloc we cited for the Lammich/Tuerk work is

the automata library, not the formalisation built on top of it.

Also Lammich and Tuerk have told us that reasoning about graphs 

with state names is undesirable. If they had a better representation

available (which they had _not_, since they formalise Hopcroft's

algorithm), they would have used this one and establish that it is 

"equivalent" to the more efficient version with efficient data-

structures. In their case there is no alternative formalising a library

about graphs etc. We have shown that in case of the Myhill-Nerode theorem

there is an alternative. We have been very careful to make claims about

being the first ones who have done so. However, we believe we are,

but certainly our proofs are not present in the literature (this

might have something to do with the fact that the Myhill-Nerode

theorem requires the reversal of Brzozowski and Arden...see

comment further below).

> My most stringent remark about the paper is that it should make clear

> from the beginning whether or not the algorithms are computational,

> and if they are executable, how efficient. Then, comparing with the

> two aforementioned work will make sense. 

As stated earlier, we do not like to make computational issues

explicit as they are a distraction in our opinion. The logic behind 

Isabelle/HOL and all HOL-based theorem provers is not a computational logic, 

in the sense that it is not about computable functions (unlike Coq). There 

are "uncomputable" features in HOL such as the axiom of choice (which we

make use of in our formalisation). We still use the terminology "algorithm"

in the widely-used sense of algorithms that contain "do-not-care"

nondetermism. For example, unification algorithms are usually explained and 

proved correct as transition system over sets of equations. They are not

executable in the Turing-machine sense, since they leave implicit

the order in which the equations should be analysed and which

rules should "fire" if there are more than one applicable. They

are also "imperfect" as the notion of (potentially infinite) sets

cannot be implemented, in general, as a computable function, but 

they can be reasoned about in Isabelle/HOL and other theorem provers.

Still we hope that the reviewer agrees with us and with the many uses 

in the literature (unification is only one example which commits this 

"sin"), it is nevertheless perfectly sensible to call such "things" 

algorithms. Although they cannot be directly implemented, they can be

implemented once choices are made explicit and datastructures 

fixed. Similarly, our formalisation uses a do-not-care approach

for building a regular expression out of a set of regular expressions

(see equation (2)).  It also leaves the order of equations that should be 

analysed under-specified. But if all these choices are made explicit, we

have an algorithm that is implementable in code. But as the explanation

already indicates, it is quite a digression from our main topic of

reasoning about inductive structures.

If we further contemplate the efficiency of the algorithm we 

(under)specified, then our best guess is that it is exponential in the 

worst case, just like the "naive" unification algorithm is exponential 

if sharing is not treated carefully. 

> In fact, I have been made aware of the following work [2] that do

> formalize automata and regular language theory without using explicit

> identifiers for state numbers in automata. The upside is that it

> yields much smoother proofs than previous works in Coq. The downside

> is that this formalization strategy does not yield efficient algorithm

> for automata constructions. I reckon that this is a technical report

> that should be taken with a grain of salt in the context of this

> review, but I think that it gives evidence that it is not always the

> case that the startup cost is higher with automata rather than with

> regular expressions: they formalize the Myhill-Nerode theorem,

> Kleene's theorem, the relationships between various representations of

> regular languages in around 1500 lines of ssreflect/Coq. (Again, let

> me emphasize that this is not a computational representation of

> automata, and thus, it does not easily compare in terms of size with

> Lammich and Tuerk's work or Braibant and Pous's work.) I think this

> work would make for a much more relevant comparison with your work. 

We cited this work and commented on it (see above).

> I agree that comparing with related work is hard, and that the authors

> have already been careful in their comparison with the formalization

> sizes from other works. Yet, I am afraid an uninformed outsider would

> miss the distinction between related work that are executable and

> efficient and this formalization. 

In order to get meaningful work done, we have to depend on readers 

carefully reading the paper and obtaining required background material.

I am afraid, there is no other way around. 

> - I am still confused about the explanation about the way the

> equational system is set up (your comment in the conclusion does not

> help me to pinpoint why you have to do that): I understand that

> Brzozowski annotates the final states with lambdas, and propagates

> them to the unique initial state. On the other hand you start with a

> set of equivalence classes, and you want to compute a regular

> expression for all classes that are in finals. In other words, I still

> fail to see why the following system does not suit your needs

> 

> X1 = a,X2 + b,X4 

> X2 = b,X3 + a,X4 + lambda(ONE)

> X3 = a,X4 + b,X4 + lambda(ONE)

> X4 = a,X4 + b,X4

>

> with L(r,X) = L(r) \cdot X

>

> and then propagate the equation to compute to compute a value for

> X1. (And, you could draw the automata underlying the transitions at

> the top of p. 7 to help the reader understand what is going on, and

> the relationship with the current equational system.)

> 

> Maybe it is simply that you could have done it, but that it would have

> been less pleasant to work with in the context of a Myhill-Nerode

> relation?

We used in the paper the much stronger formulation of being

_forced_ to set up the equational system in our way. And we even

now have made the earlier comment about this issue, which was 

placed in a footnote, to be part of the main text (see paragraph after 

equation (6)). 

While your equational system and computations generate a regular

expression, it does not take into account the assumption from 

the first direction of the Myhill-Nerode theorem. Recall that the 

assumption is that there are finitely many equivalence classes 

by the Myhill-Nerode relation. Therefore we have to make our equations

to be in agreement with these equivalence classes, which the properties

in equation (7) and (8) make explicit. We further have to maintain

this agreement during the solution of the equational system. 

Your equational system is _not_ in agreement with the equivalence 

classes: consider that 

   X1 = {[]}

   X2 = {[a]}

   X3 = {[a, b]}

   X4 = UNIV − {[], [a], [a, b]} 

hold, which is not true for the equations you have set up (under the

natural interpretation you have given). Another point is that it is always the

case that only one equivalence class in the Myhill-Nerode theorem contains 

the empty string. Therefore it cannot be the case that there are more than 

one (initial) equation containing the marker lambda(ONE), which translates 

into the empty string under the natural interpretation. So we are

of the opinion that for the Myhill-Nerode theorem you are really forced 

to "reverse" the standard approaches. Please let us know, if this 

clarifies this issue for you.

> - I really appreciate the rephrasing of section 4, especially the

> final remark. I think it clearly helps the reader to understand the

> proof arguments, and the relationship with automata. 

Thank you.

> - I concur with the second reviewer to say that the executability of

> the first half of the M-N theorem should be discussed in the

> conclusion. Moreover, I am puzzled by your comments in the response to

> reviewers: to what extent does your formalization need to be

> _modified_ to make it executable? Do you need to change the code, or

> to add more things? (More precisely, you discuss the executability of

> the second half of the M-N theorem -- that constructs a partition of

> the set of strings -- in the conclusion, in the context of Haftmann

> executable sets; 

The first half is about the Myhill-Nerode relation partitioning the sets of 

all strings into equivalence classes. Our remark applies to this "half".

> you should do the same for the first-half---that

> constructs a regular expression). I am not sure I am happy with the

> things you wrote about executable sets, because it is not clear from

> my point of view if you need to modify the code, or add things. 

See comment above. We really not want to open up this can of worms.

> - More generally, it should be made clear that when you say algorithm,

> the reader should not understand it as something that is computable as

> it is. In particular, I think that the following sentence is

> misleading: "our algorithm for solving equational systems actually

> calculates a regular expression for the complement language." You

> actually define such an expression, but it seems not possible, as it

> is, to open the box to see what is inside.

It is possible as long as you make the "do-not-care" non-determinism 

explicit and fix appropriate datastructures for computations. 

> - You answered: 

> > In our opinion, Coquand and Siles' development strongly justifies our

> > comment about formalisation of Brzozowski's argument being painful.

> > If you like to have this reference added in the paper, we are happy

> > to do so.

>

> I think that it is worth adding a comment like this one either in

> section 5 (at the beginning of p. 20) or in the conclusion.

We added to page 20:

  Therefore Coquand and Siles (2011) who follow through this idea 

  had to spend extra effort and first formalise the quite intricate 

  notion of inductively finite sets in order to formalise this property.

> - The authors provide a detailed figure for the number of line of code

>   of Almeida et al's implementation of Mirkin construction, but there

>   is no such figure for some of other works that are cited. Maybe this

>   number could be dropped, or similar figures could be given for other

>   works, in order to give a more accurate picture.

We are not 100% sure about this comment. We have not selected the

explicit numbers for the Lammich-Tuerk and Almeida et al works because of  

"name-and-shaming" or because of a "beauty contest". Rather to illustrate 

a trend. We asked about the numbers for the Lammich-Tuerk work. They 

also confirmed with us that their automata-with-names approach is painful 

to work with. Unfortunately they have not written this in their paper 

such that we could have cited it. Filliatre makes explicitly such a comment 

in his paper, which we have cited. Braibant equally wrote that he reckons 

that our formalisation is more concise. There is no way we can give a number 

in terms of lines-of-code for the formalisation in Nuprl. We believe 

the number for the Almeida et al work is accurate (and not even the

biggest formalisation from the ones listed, but one which is about

one specific topic).  

> - I wonder if you have direction for future works, that would satisfy

>  your predicate "results from regular language theory, not results

>  from automata theory". It would be nice to give a few examples if

>  you have some in mind. 

We added the work by Sulzmann and Lu who work on regular expression

sub-matching using derivatives of regular expressions. We would like

to formalise this work. Thank you very much for suggesting future work.