isabelle: src/HOL/ex/CTL.thy@02610a806467 (annotated)

15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	1	(* Title: HOL/ex/CTL.thy
e524119dbf19 * empty log message * bauerg parents: diff changeset	2	Author: Gertrud Bauer
e524119dbf19 * empty log message * bauerg parents: diff changeset	3	*)
e524119dbf19 * empty log message * bauerg parents: diff changeset	4
61343 5b5656a63bd6 isabelle update_cartouches; wenzelm parents: 58889 diff changeset	5	section \<open>CTL formulae\<close>
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	6
46685 866a798d051c tuned proofs; wenzelm parents: 46008 diff changeset	7	theory CTL
866a798d051c tuned proofs; wenzelm parents: 46008 diff changeset	8	imports Main
866a798d051c tuned proofs; wenzelm parents: 46008 diff changeset	9	begin
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	10
61343 5b5656a63bd6 isabelle update_cartouches; wenzelm parents: 58889 diff changeset	11	text \<open>
61934 02610a806467 tuned; wenzelm parents: 61933 diff changeset	12	We formalize basic concepts of Computational Tree Logic (CTL) @{cite
02610a806467 tuned; wenzelm parents: 61933 diff changeset	13	"McMillan-PhDThesis" and "McMillan-LectureNotes"} within the simply-typed
02610a806467 tuned; wenzelm parents: 61933 diff changeset	14	set theory of HOL.
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	15
61934 02610a806467 tuned; wenzelm parents: 61933 diff changeset	16	By using the common technique of ``shallow embedding'', a CTL formula is
02610a806467 tuned; wenzelm parents: 61933 diff changeset	17	identified with the corresponding set of states where it holds.
02610a806467 tuned; wenzelm parents: 61933 diff changeset	18	Consequently, CTL operations such as negation, conjunction, disjunction
02610a806467 tuned; wenzelm parents: 61933 diff changeset	19	simply become complement, intersection, union of sets. We only require a
02610a806467 tuned; wenzelm parents: 61933 diff changeset	20	separate operation for implication, as point-wise inclusion is usually not
02610a806467 tuned; wenzelm parents: 61933 diff changeset	21	encountered in plain set-theory.
61343 5b5656a63bd6 isabelle update_cartouches; wenzelm parents: 58889 diff changeset	22	\<close>
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	23
e524119dbf19 * empty log message * bauerg parents: diff changeset	24	lemmas [intro!] = Int_greatest Un_upper2 Un_upper1 Int_lower1 Int_lower2
e524119dbf19 * empty log message * bauerg parents: diff changeset	25
42463 f270e3e18be5 modernized specifications; wenzelm parents: 41460 diff changeset	26	type_synonym 'a ctl = "'a set"
20807 bd3b60f9a343 tuned; wenzelm parents: 17388 diff changeset	27
bd3b60f9a343 tuned; wenzelm parents: 17388 diff changeset	28	definition
21404 eb85850d3eb7 more robust syntax for definition/abbreviation/notation; wenzelm parents: 21312 diff changeset	29	imp :: "'a ctl \<Rightarrow> 'a ctl \<Rightarrow> 'a ctl" (infixr "\<rightarrow>" 75) where
20807 bd3b60f9a343 tuned; wenzelm parents: 17388 diff changeset	30	"p \<rightarrow> q = - p \<union> q"
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	31
20807 bd3b60f9a343 tuned; wenzelm parents: 17388 diff changeset	32	lemma [intro!]: "p \<inter> p \<rightarrow> q \<subseteq> q" unfolding imp_def by auto
bd3b60f9a343 tuned; wenzelm parents: 17388 diff changeset	33	lemma [intro!]: "p \<subseteq> (q \<rightarrow> p)" unfolding imp_def by rule
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	34
e524119dbf19 * empty log message * bauerg parents: diff changeset	35
61343 5b5656a63bd6 isabelle update_cartouches; wenzelm parents: 58889 diff changeset	36	text \<open>
61934 02610a806467 tuned; wenzelm parents: 61933 diff changeset	37	\<^smallskip>
02610a806467 tuned; wenzelm parents: 61933 diff changeset	38	The CTL path operators are more interesting; they are based on an arbitrary,
02610a806467 tuned; wenzelm parents: 61933 diff changeset	39	but fixed model \<open>\<M>\<close>, which is simply a transition relation over states
02610a806467 tuned; wenzelm parents: 61933 diff changeset	40	@{typ 'a}.
61343 5b5656a63bd6 isabelle update_cartouches; wenzelm parents: 58889 diff changeset	41	\<close>
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	42
20807 bd3b60f9a343 tuned; wenzelm parents: 17388 diff changeset	43	axiomatization \<M> :: "('a \<times> 'a) set"
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	44
61343 5b5656a63bd6 isabelle update_cartouches; wenzelm parents: 58889 diff changeset	45	text \<open>
61934 02610a806467 tuned; wenzelm parents: 61933 diff changeset	46	The operators \<open>\<EX>\<close>, \<open>\<EF>\<close>, \<open>\<EG>\<close> are taken as primitives, while
02610a806467 tuned; wenzelm parents: 61933 diff changeset	47	\<open>\<AX>\<close>, \<open>\<AF>\<close>, \<open>\<AG>\<close> are defined as derived ones. The formula \<open>\<EX> p\<close>
02610a806467 tuned; wenzelm parents: 61933 diff changeset	48	holds in a state @{term s}, iff there is a successor state @{term s'} (with
02610a806467 tuned; wenzelm parents: 61933 diff changeset	49	respect to the model @{term \<M>}), such that @{term p} holds in @{term s'}.
02610a806467 tuned; wenzelm parents: 61933 diff changeset	50	The formula \<open>\<EF> p\<close> holds in a state @{term s}, iff there is a path in
02610a806467 tuned; wenzelm parents: 61933 diff changeset	51	\<open>\<M>\<close>, starting from @{term s}, such that there exists a state @{term s'} on
02610a806467 tuned; wenzelm parents: 61933 diff changeset	52	the path, such that @{term p} holds in @{term s'}. The formula \<open>\<EG> p\<close>
02610a806467 tuned; wenzelm parents: 61933 diff changeset	53	holds in a state @{term s}, iff there is a path, starting from @{term s},
02610a806467 tuned; wenzelm parents: 61933 diff changeset	54	such that for all states @{term s'} on the path, @{term p} holds in @{term
02610a806467 tuned; wenzelm parents: 61933 diff changeset	55	s'}. It is easy to see that \<open>\<EF> p\<close> and \<open>\<EG> p\<close> may be expressed using
02610a806467 tuned; wenzelm parents: 61933 diff changeset	56	least and greatest fixed points @{cite "McMillan-PhDThesis"}.
61343 5b5656a63bd6 isabelle update_cartouches; wenzelm parents: 58889 diff changeset	57	\<close>
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	58
61934 02610a806467 tuned; wenzelm parents: 61933 diff changeset	59	definition EX ("\<EX> _" [80] 90)
02610a806467 tuned; wenzelm parents: 61933 diff changeset	60	where [simp]: "\<EX> p = {s. \<exists>s'. (s, s') \<in> \<M> \<and> s' \<in> p}"
02610a806467 tuned; wenzelm parents: 61933 diff changeset	61	definition EF ("\<EF> _" [80] 90)
02610a806467 tuned; wenzelm parents: 61933 diff changeset	62	where [simp]: "\<EF> p = lfp (\<lambda>s. p \<union> \<EX> s)"
02610a806467 tuned; wenzelm parents: 61933 diff changeset	63	definition EG ("\<EG> _" [80] 90)
02610a806467 tuned; wenzelm parents: 61933 diff changeset	64	where [simp]: "\<EG> p = gfp (\<lambda>s. p \<inter> \<EX> s)"
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	65
61343 5b5656a63bd6 isabelle update_cartouches; wenzelm parents: 58889 diff changeset	66	text \<open>
61934 02610a806467 tuned; wenzelm parents: 61933 diff changeset	67	\<open>\<AX>\<close>, \<open>\<AF>\<close> and \<open>\<AG>\<close> are now defined dually in terms of \<open>\<EX>\<close>,
02610a806467 tuned; wenzelm parents: 61933 diff changeset	68	\<open>\<EF>\<close> and \<open>\<EG>\<close>.
61343 5b5656a63bd6 isabelle update_cartouches; wenzelm parents: 58889 diff changeset	69	\<close>
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	70
61934 02610a806467 tuned; wenzelm parents: 61933 diff changeset	71	definition AX ("\<AX> _" [80] 90)
02610a806467 tuned; wenzelm parents: 61933 diff changeset	72	where [simp]: "\<AX> p = - \<EX> - p"
02610a806467 tuned; wenzelm parents: 61933 diff changeset	73	definition AF ("\<AF> _" [80] 90)
02610a806467 tuned; wenzelm parents: 61933 diff changeset	74	where [simp]: "\<AF> p = - \<EG> - p"
02610a806467 tuned; wenzelm parents: 61933 diff changeset	75	definition AG ("\<AG> _" [80] 90)
02610a806467 tuned; wenzelm parents: 61933 diff changeset	76	where [simp]: "\<AG> p = - \<EF> - p"
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	77
e524119dbf19 * empty log message * bauerg parents: diff changeset	78
61343 5b5656a63bd6 isabelle update_cartouches; wenzelm parents: 58889 diff changeset	79	subsection \<open>Basic fixed point properties\<close>
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	80
61343 5b5656a63bd6 isabelle update_cartouches; wenzelm parents: 58889 diff changeset	81	text \<open>
61934 02610a806467 tuned; wenzelm parents: 61933 diff changeset	82	First of all, we use the de-Morgan property of fixed points.
61343 5b5656a63bd6 isabelle update_cartouches; wenzelm parents: 58889 diff changeset	83	\<close>
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	84
21026 3b2821e0d541 Adapted to changes in FixedPoint theory. berghofe parents: 20807 diff changeset	85	lemma lfp_gfp: "lfp f = - gfp (\<lambda>s::'a set. - (f (- s)))"
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	86	proof
e524119dbf19 * empty log message * bauerg parents: diff changeset	87	show "lfp f \<subseteq> - gfp (\<lambda>s. - f (- s))"
e524119dbf19 * empty log message * bauerg parents: diff changeset	88	proof
e524119dbf19 * empty log message * bauerg parents: diff changeset	89	fix x assume l: "x \<in> lfp f"
e524119dbf19 * empty log message * bauerg parents: diff changeset	90	show "x \<in> - gfp (\<lambda>s. - f (- s))"
e524119dbf19 * empty log message * bauerg parents: diff changeset	91	proof
e524119dbf19 * empty log message * bauerg parents: diff changeset	92	assume "x \<in> gfp (\<lambda>s. - f (- s))"
21026 3b2821e0d541 Adapted to changes in FixedPoint theory. berghofe parents: 20807 diff changeset	93	then obtain u where "x \<in> u" and "u \<subseteq> - f (- u)"
32587 caa5ada96a00 Inter and Union are mere abbreviations for Inf and Sup haftmann parents: 26813 diff changeset	94	by (auto simp add: gfp_def)
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	95	then have "f (- u) \<subseteq> - u" by auto
e524119dbf19 * empty log message * bauerg parents: diff changeset	96	then have "lfp f \<subseteq> - u" by (rule lfp_lowerbound)
e524119dbf19 * empty log message * bauerg parents: diff changeset	97	from l and this have "x \<notin> u" by auto
61343 5b5656a63bd6 isabelle update_cartouches; wenzelm parents: 58889 diff changeset	98	with \<open>x \<in> u\<close> show False by contradiction
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	99	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	100	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	101	show "- gfp (\<lambda>s. - f (- s)) \<subseteq> lfp f"
e524119dbf19 * empty log message * bauerg parents: diff changeset	102	proof (rule lfp_greatest)
e524119dbf19 * empty log message * bauerg parents: diff changeset	103	fix u assume "f u \<subseteq> u"
e524119dbf19 * empty log message * bauerg parents: diff changeset	104	then have "- u \<subseteq> - f u" by auto
e524119dbf19 * empty log message * bauerg parents: diff changeset	105	then have "- u \<subseteq> - f (- (- u))" by simp
e524119dbf19 * empty log message * bauerg parents: diff changeset	106	then have "- u \<subseteq> gfp (\<lambda>s. - f (- s))" by (rule gfp_upperbound)
e524119dbf19 * empty log message * bauerg parents: diff changeset	107	then show "- gfp (\<lambda>s. - f (- s)) \<subseteq> u" by auto
e524119dbf19 * empty log message * bauerg parents: diff changeset	108	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	109	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	110
21026 3b2821e0d541 Adapted to changes in FixedPoint theory. berghofe parents: 20807 diff changeset	111	lemma lfp_gfp': "- lfp f = gfp (\<lambda>s::'a set. - (f (- s)))"
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	112	by (simp add: lfp_gfp)
e524119dbf19 * empty log message * bauerg parents: diff changeset	113
21026 3b2821e0d541 Adapted to changes in FixedPoint theory. berghofe parents: 20807 diff changeset	114	lemma gfp_lfp': "- gfp f = lfp (\<lambda>s::'a set. - (f (- s)))"
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	115	by (simp add: lfp_gfp)
e524119dbf19 * empty log message * bauerg parents: diff changeset	116
61343 5b5656a63bd6 isabelle update_cartouches; wenzelm parents: 58889 diff changeset	117	text \<open>
61934 02610a806467 tuned; wenzelm parents: 61933 diff changeset	118	In order to give dual fixed point representations of @{term "\<AF> p"} and
02610a806467 tuned; wenzelm parents: 61933 diff changeset	119	@{term "\<AG> p"}:
61343 5b5656a63bd6 isabelle update_cartouches; wenzelm parents: 58889 diff changeset	120	\<close>
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	121
61934 02610a806467 tuned; wenzelm parents: 61933 diff changeset	122	lemma AF_lfp: "\<AF> p = lfp (\<lambda>s. p \<union> \<AX> s)"
02610a806467 tuned; wenzelm parents: 61933 diff changeset	123	by (simp add: lfp_gfp)
02610a806467 tuned; wenzelm parents: 61933 diff changeset	124	lemma AG_gfp: "\<AG> p = gfp (\<lambda>s. p \<inter> \<AX> s)"
02610a806467 tuned; wenzelm parents: 61933 diff changeset	125	by (simp add: lfp_gfp)
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	126
e524119dbf19 * empty log message * bauerg parents: diff changeset	127	lemma EF_fp: "\<EF> p = p \<union> \<EX> \<EF> p"
e524119dbf19 * empty log message * bauerg parents: diff changeset	128	proof -
46685 866a798d051c tuned proofs; wenzelm parents: 46008 diff changeset	129	have "mono (\<lambda>s. p \<union> \<EX> s)" by rule auto
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	130	then show ?thesis by (simp only: EF_def) (rule lfp_unfold)
e524119dbf19 * empty log message * bauerg parents: diff changeset	131	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	132
e524119dbf19 * empty log message * bauerg parents: diff changeset	133	lemma AF_fp: "\<AF> p = p \<union> \<AX> \<AF> p"
e524119dbf19 * empty log message * bauerg parents: diff changeset	134	proof -
46685 866a798d051c tuned proofs; wenzelm parents: 46008 diff changeset	135	have "mono (\<lambda>s. p \<union> \<AX> s)" by rule auto
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	136	then show ?thesis by (simp only: AF_lfp) (rule lfp_unfold)
e524119dbf19 * empty log message * bauerg parents: diff changeset	137	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	138
e524119dbf19 * empty log message * bauerg parents: diff changeset	139	lemma EG_fp: "\<EG> p = p \<inter> \<EX> \<EG> p"
e524119dbf19 * empty log message * bauerg parents: diff changeset	140	proof -
46685 866a798d051c tuned proofs; wenzelm parents: 46008 diff changeset	141	have "mono (\<lambda>s. p \<inter> \<EX> s)" by rule auto
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	142	then show ?thesis by (simp only: EG_def) (rule gfp_unfold)
e524119dbf19 * empty log message * bauerg parents: diff changeset	143	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	144
61343 5b5656a63bd6 isabelle update_cartouches; wenzelm parents: 58889 diff changeset	145	text \<open>
61934 02610a806467 tuned; wenzelm parents: 61933 diff changeset	146	From the greatest fixed point definition of @{term "\<AG> p"}, we derive as
02610a806467 tuned; wenzelm parents: 61933 diff changeset	147	a consequence of the Knaster-Tarski theorem on the one hand that @{term
02610a806467 tuned; wenzelm parents: 61933 diff changeset	148	"\<AG> p"} is a fixed point of the monotonic function
02610a806467 tuned; wenzelm parents: 61933 diff changeset	149	@{term "\<lambda>s. p \<inter> \<AX> s"}.
61343 5b5656a63bd6 isabelle update_cartouches; wenzelm parents: 58889 diff changeset	150	\<close>
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	151
e524119dbf19 * empty log message * bauerg parents: diff changeset	152	lemma AG_fp: "\<AG> p = p \<inter> \<AX> \<AG> p"
e524119dbf19 * empty log message * bauerg parents: diff changeset	153	proof -
46685 866a798d051c tuned proofs; wenzelm parents: 46008 diff changeset	154	have "mono (\<lambda>s. p \<inter> \<AX> s)" by rule auto
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	155	then show ?thesis by (simp only: AG_gfp) (rule gfp_unfold)
e524119dbf19 * empty log message * bauerg parents: diff changeset	156	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	157
61343 5b5656a63bd6 isabelle update_cartouches; wenzelm parents: 58889 diff changeset	158	text \<open>
61934 02610a806467 tuned; wenzelm parents: 61933 diff changeset	159	This fact may be split up into two inequalities (merely using transitivity
02610a806467 tuned; wenzelm parents: 61933 diff changeset	160	of \<open>\<subseteq>\<close>, which is an instance of the overloaded \<open>\<le>\<close> in Isabelle/HOL).
61343 5b5656a63bd6 isabelle update_cartouches; wenzelm parents: 58889 diff changeset	161	\<close>
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	162
e524119dbf19 * empty log message * bauerg parents: diff changeset	163	lemma AG_fp_1: "\<AG> p \<subseteq> p"
e524119dbf19 * empty log message * bauerg parents: diff changeset	164	proof -
e524119dbf19 * empty log message * bauerg parents: diff changeset	165	note AG_fp also have "p \<inter> \<AX> \<AG> p \<subseteq> p" by auto
e524119dbf19 * empty log message * bauerg parents: diff changeset	166	finally show ?thesis .
e524119dbf19 * empty log message * bauerg parents: diff changeset	167	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	168
e524119dbf19 * empty log message * bauerg parents: diff changeset	169	lemma AG_fp_2: "\<AG> p \<subseteq> \<AX> \<AG> p"
e524119dbf19 * empty log message * bauerg parents: diff changeset	170	proof -
e524119dbf19 * empty log message * bauerg parents: diff changeset	171	note AG_fp also have "p \<inter> \<AX> \<AG> p \<subseteq> \<AX> \<AG> p" by auto
e524119dbf19 * empty log message * bauerg parents: diff changeset	172	finally show ?thesis .
e524119dbf19 * empty log message * bauerg parents: diff changeset	173	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	174
61343 5b5656a63bd6 isabelle update_cartouches; wenzelm parents: 58889 diff changeset	175	text \<open>
61934 02610a806467 tuned; wenzelm parents: 61933 diff changeset	176	On the other hand, we have from the Knaster-Tarski fixed point theorem that
02610a806467 tuned; wenzelm parents: 61933 diff changeset	177	any other post-fixed point of @{term "\<lambda>s. p \<inter> \<AX> s"} is smaller than
02610a806467 tuned; wenzelm parents: 61933 diff changeset	178	@{term "\<AG> p"}. A post-fixed point is a set of states @{term q} such that
02610a806467 tuned; wenzelm parents: 61933 diff changeset	179	@{term "q \<subseteq> p \<inter> \<AX> q"}. This leads to the following co-induction
02610a806467 tuned; wenzelm parents: 61933 diff changeset	180	principle for @{term "\<AG> p"}.
61343 5b5656a63bd6 isabelle update_cartouches; wenzelm parents: 58889 diff changeset	181	\<close>
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	182
e524119dbf19 * empty log message * bauerg parents: diff changeset	183	lemma AG_I: "q \<subseteq> p \<inter> \<AX> q \<Longrightarrow> q \<subseteq> \<AG> p"
e524119dbf19 * empty log message * bauerg parents: diff changeset	184	by (simp only: AG_gfp) (rule gfp_upperbound)
e524119dbf19 * empty log message * bauerg parents: diff changeset	185
e524119dbf19 * empty log message * bauerg parents: diff changeset	186
61343 5b5656a63bd6 isabelle update_cartouches; wenzelm parents: 58889 diff changeset	187	subsection \<open>The tree induction principle \label{sec:calc-ctl-tree-induct}\<close>
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	188
61343 5b5656a63bd6 isabelle update_cartouches; wenzelm parents: 58889 diff changeset	189	text \<open>
61934 02610a806467 tuned; wenzelm parents: 61933 diff changeset	190	With the most basic facts available, we are now able to establish a few more
02610a806467 tuned; wenzelm parents: 61933 diff changeset	191	interesting results, leading to the \<^emph>\<open>tree induction\<close> principle for \<open>\<AG>\<close>
02610a806467 tuned; wenzelm parents: 61933 diff changeset	192	(see below). We will use some elementary monotonicity and distributivity
02610a806467 tuned; wenzelm parents: 61933 diff changeset	193	rules.
61343 5b5656a63bd6 isabelle update_cartouches; wenzelm parents: 58889 diff changeset	194	\<close>
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	195
e524119dbf19 * empty log message * bauerg parents: diff changeset	196	lemma AX_int: "\<AX> (p \<inter> q) = \<AX> p \<inter> \<AX> q" by auto
e524119dbf19 * empty log message * bauerg parents: diff changeset	197	lemma AX_mono: "p \<subseteq> q \<Longrightarrow> \<AX> p \<subseteq> \<AX> q" by auto
e524119dbf19 * empty log message * bauerg parents: diff changeset	198	lemma AG_mono: "p \<subseteq> q \<Longrightarrow> \<AG> p \<subseteq> \<AG> q"
e524119dbf19 * empty log message * bauerg parents: diff changeset	199	by (simp only: AG_gfp, rule gfp_mono) auto
e524119dbf19 * empty log message * bauerg parents: diff changeset	200
61343 5b5656a63bd6 isabelle update_cartouches; wenzelm parents: 58889 diff changeset	201	text \<open>
61934 02610a806467 tuned; wenzelm parents: 61933 diff changeset	202	The formula @{term "AG p"} implies @{term "AX p"} (we use substitution of
02610a806467 tuned; wenzelm parents: 61933 diff changeset	203	\<open>\<subseteq>\<close> with monotonicity).
61343 5b5656a63bd6 isabelle update_cartouches; wenzelm parents: 58889 diff changeset	204	\<close>
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	205
e524119dbf19 * empty log message * bauerg parents: diff changeset	206	lemma AG_AX: "\<AG> p \<subseteq> \<AX> p"
e524119dbf19 * empty log message * bauerg parents: diff changeset	207	proof -
e524119dbf19 * empty log message * bauerg parents: diff changeset	208	have "\<AG> p \<subseteq> \<AX> \<AG> p" by (rule AG_fp_2)
61934 02610a806467 tuned; wenzelm parents: 61933 diff changeset	209	also have "\<AG> p \<subseteq> p" by (rule AG_fp_1)
02610a806467 tuned; wenzelm parents: 61933 diff changeset	210	moreover note AX_mono
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	211	finally show ?thesis .
e524119dbf19 * empty log message * bauerg parents: diff changeset	212	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	213
61343 5b5656a63bd6 isabelle update_cartouches; wenzelm parents: 58889 diff changeset	214	text \<open>
61934 02610a806467 tuned; wenzelm parents: 61933 diff changeset	215	Furthermore we show idempotency of the \<open>\<AG>\<close> operator. The proof is a good
02610a806467 tuned; wenzelm parents: 61933 diff changeset	216	example of how accumulated facts may get used to feed a single rule step.
61343 5b5656a63bd6 isabelle update_cartouches; wenzelm parents: 58889 diff changeset	217	\<close>
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	218
e524119dbf19 * empty log message * bauerg parents: diff changeset	219	lemma AG_AG: "\<AG> \<AG> p = \<AG> p"
e524119dbf19 * empty log message * bauerg parents: diff changeset	220	proof
e524119dbf19 * empty log message * bauerg parents: diff changeset	221	show "\<AG> \<AG> p \<subseteq> \<AG> p" by (rule AG_fp_1)
e524119dbf19 * empty log message * bauerg parents: diff changeset	222	next
e524119dbf19 * empty log message * bauerg parents: diff changeset	223	show "\<AG> p \<subseteq> \<AG> \<AG> p"
e524119dbf19 * empty log message * bauerg parents: diff changeset	224	proof (rule AG_I)
e524119dbf19 * empty log message * bauerg parents: diff changeset	225	have "\<AG> p \<subseteq> \<AG> p" ..
e524119dbf19 * empty log message * bauerg parents: diff changeset	226	moreover have "\<AG> p \<subseteq> \<AX> \<AG> p" by (rule AG_fp_2)
e524119dbf19 * empty log message * bauerg parents: diff changeset	227	ultimately show "\<AG> p \<subseteq> \<AG> p \<inter> \<AX> \<AG> p" ..
e524119dbf19 * empty log message * bauerg parents: diff changeset	228	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	229	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	230
61343 5b5656a63bd6 isabelle update_cartouches; wenzelm parents: 58889 diff changeset	231	text \<open>
61934 02610a806467 tuned; wenzelm parents: 61933 diff changeset	232	\<^smallskip>
02610a806467 tuned; wenzelm parents: 61933 diff changeset	233	We now give an alternative characterization of the \<open>\<AG>\<close> operator, which
02610a806467 tuned; wenzelm parents: 61933 diff changeset	234	describes the \<open>\<AG>\<close> operator in an ``operational'' way by tree induction:
02610a806467 tuned; wenzelm parents: 61933 diff changeset	235	In a state holds @{term "AG p"} iff in that state holds @{term p}, and in
02610a806467 tuned; wenzelm parents: 61933 diff changeset	236	all reachable states @{term s} follows from the fact that @{term p} holds in
02610a806467 tuned; wenzelm parents: 61933 diff changeset	237	@{term s}, that @{term p} also holds in all successor states of @{term s}.
02610a806467 tuned; wenzelm parents: 61933 diff changeset	238	We use the co-induction principle @{thm [source] AG_I} to establish this in
02610a806467 tuned; wenzelm parents: 61933 diff changeset	239	a purely algebraic manner.
61343 5b5656a63bd6 isabelle update_cartouches; wenzelm parents: 58889 diff changeset	240	\<close>
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	241
e524119dbf19 * empty log message * bauerg parents: diff changeset	242	theorem AG_induct: "p \<inter> \<AG> (p \<rightarrow> \<AX> p) = \<AG> p"
e524119dbf19 * empty log message * bauerg parents: diff changeset	243	proof
e524119dbf19 * empty log message * bauerg parents: diff changeset	244	show "p \<inter> \<AG> (p \<rightarrow> \<AX> p) \<subseteq> \<AG> p" (is "?lhs \<subseteq> _")
e524119dbf19 * empty log message * bauerg parents: diff changeset	245	proof (rule AG_I)
e524119dbf19 * empty log message * bauerg parents: diff changeset	246	show "?lhs \<subseteq> p \<inter> \<AX> ?lhs"
e524119dbf19 * empty log message * bauerg parents: diff changeset	247	proof
e524119dbf19 * empty log message * bauerg parents: diff changeset	248	show "?lhs \<subseteq> p" ..
e524119dbf19 * empty log message * bauerg parents: diff changeset	249	show "?lhs \<subseteq> \<AX> ?lhs"
e524119dbf19 * empty log message * bauerg parents: diff changeset	250	proof -
32960 69916a850301 eliminated hard tabulators, guessing at each author's individual tab-width; wenzelm parents: 32587 diff changeset	251	{
69916a850301 eliminated hard tabulators, guessing at each author's individual tab-width; wenzelm parents: 32587 diff changeset	252	have "\<AG> (p \<rightarrow> \<AX> p) \<subseteq> p \<rightarrow> \<AX> p" by (rule AG_fp_1)
46008 c296c75f4cf4 reverted some changes for set->predicate transition, according to "hg log -u berghofe -r Isabelle2007:Isabelle2008"; wenzelm parents: 42463 diff changeset	253	also have "p \<inter> p \<rightarrow> \<AX> p \<subseteq> \<AX> p" ..
c296c75f4cf4 reverted some changes for set->predicate transition, according to "hg log -u berghofe -r Isabelle2007:Isabelle2008"; wenzelm parents: 42463 diff changeset	254	finally have "?lhs \<subseteq> \<AX> p" by auto
32960 69916a850301 eliminated hard tabulators, guessing at each author's individual tab-width; wenzelm parents: 32587 diff changeset	255	}
69916a850301 eliminated hard tabulators, guessing at each author's individual tab-width; wenzelm parents: 32587 diff changeset	256	moreover
69916a850301 eliminated hard tabulators, guessing at each author's individual tab-width; wenzelm parents: 32587 diff changeset	257	{
69916a850301 eliminated hard tabulators, guessing at each author's individual tab-width; wenzelm parents: 32587 diff changeset	258	have "p \<inter> \<AG> (p \<rightarrow> \<AX> p) \<subseteq> \<AG> (p \<rightarrow> \<AX> p)" ..
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	259	also have "\<dots> \<subseteq> \<AX> \<dots>" by (rule AG_fp_2)
e524119dbf19 * empty log message * bauerg parents: diff changeset	260	finally have "?lhs \<subseteq> \<AX> \<AG> (p \<rightarrow> \<AX> p)" .
32960 69916a850301 eliminated hard tabulators, guessing at each author's individual tab-width; wenzelm parents: 32587 diff changeset	261	}
46008 c296c75f4cf4 reverted some changes for set->predicate transition, according to "hg log -u berghofe -r Isabelle2007:Isabelle2008"; wenzelm parents: 42463 diff changeset	262	ultimately have "?lhs \<subseteq> \<AX> p \<inter> \<AX> \<AG> (p \<rightarrow> \<AX> p)" ..
32960 69916a850301 eliminated hard tabulators, guessing at each author's individual tab-width; wenzelm parents: 32587 diff changeset	263	also have "\<dots> = \<AX> ?lhs" by (simp only: AX_int)
69916a850301 eliminated hard tabulators, guessing at each author's individual tab-width; wenzelm parents: 32587 diff changeset	264	finally show ?thesis .
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	265	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	266	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	267	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	268	next
e524119dbf19 * empty log message * bauerg parents: diff changeset	269	show "\<AG> p \<subseteq> p \<inter> \<AG> (p \<rightarrow> \<AX> p)"
e524119dbf19 * empty log message * bauerg parents: diff changeset	270	proof
e524119dbf19 * empty log message * bauerg parents: diff changeset	271	show "\<AG> p \<subseteq> p" by (rule AG_fp_1)
e524119dbf19 * empty log message * bauerg parents: diff changeset	272	show "\<AG> p \<subseteq> \<AG> (p \<rightarrow> \<AX> p)"
e524119dbf19 * empty log message * bauerg parents: diff changeset	273	proof -
e524119dbf19 * empty log message * bauerg parents: diff changeset	274	have "\<AG> p = \<AG> \<AG> p" by (simp only: AG_AG)
e524119dbf19 * empty log message * bauerg parents: diff changeset	275	also have "\<AG> p \<subseteq> \<AX> p" by (rule AG_AX) moreover note AG_mono
e524119dbf19 * empty log message * bauerg parents: diff changeset	276	also have "\<AX> p \<subseteq> (p \<rightarrow> \<AX> p)" .. moreover note AG_mono
e524119dbf19 * empty log message * bauerg parents: diff changeset	277	finally show ?thesis .
e524119dbf19 * empty log message * bauerg parents: diff changeset	278	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	279	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	280	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	281
e524119dbf19 * empty log message * bauerg parents: diff changeset	282
61343 5b5656a63bd6 isabelle update_cartouches; wenzelm parents: 58889 diff changeset	283	subsection \<open>An application of tree induction \label{sec:calc-ctl-commute}\<close>
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	284
61343 5b5656a63bd6 isabelle update_cartouches; wenzelm parents: 58889 diff changeset	285	text \<open>
61934 02610a806467 tuned; wenzelm parents: 61933 diff changeset	286	Further interesting properties of CTL expressions may be demonstrated with
02610a806467 tuned; wenzelm parents: 61933 diff changeset	287	the help of tree induction; here we show that \<open>\<AX>\<close> and \<open>\<AG>\<close> commute.
61343 5b5656a63bd6 isabelle update_cartouches; wenzelm parents: 58889 diff changeset	288	\<close>
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	289
e524119dbf19 * empty log message * bauerg parents: diff changeset	290	theorem AG_AX_commute: "\<AG> \<AX> p = \<AX> \<AG> p"
e524119dbf19 * empty log message * bauerg parents: diff changeset	291	proof -
e524119dbf19 * empty log message * bauerg parents: diff changeset	292	have "\<AG> \<AX> p = \<AX> p \<inter> \<AX> \<AG> \<AX> p" by (rule AG_fp)
e524119dbf19 * empty log message * bauerg parents: diff changeset	293	also have "\<dots> = \<AX> (p \<inter> \<AG> \<AX> p)" by (simp only: AX_int)
e524119dbf19 * empty log message * bauerg parents: diff changeset	294	also have "p \<inter> \<AG> \<AX> p = \<AG> p" (is "?lhs = _")
e524119dbf19 * empty log message * bauerg parents: diff changeset	295	proof
e524119dbf19 * empty log message * bauerg parents: diff changeset	296	have "\<AX> p \<subseteq> p \<rightarrow> \<AX> p" ..
e524119dbf19 * empty log message * bauerg parents: diff changeset	297	also have "p \<inter> \<AG> (p \<rightarrow> \<AX> p) = \<AG> p" by (rule AG_induct)
e524119dbf19 * empty log message * bauerg parents: diff changeset	298	also note Int_mono AG_mono
e524119dbf19 * empty log message * bauerg parents: diff changeset	299	ultimately show "?lhs \<subseteq> \<AG> p" by fast
e524119dbf19 * empty log message * bauerg parents: diff changeset	300	next
e524119dbf19 * empty log message * bauerg parents: diff changeset	301	have "\<AG> p \<subseteq> p" by (rule AG_fp_1)
e524119dbf19 * empty log message * bauerg parents: diff changeset	302	moreover
e524119dbf19 * empty log message * bauerg parents: diff changeset	303	{
e524119dbf19 * empty log message * bauerg parents: diff changeset	304	have "\<AG> p = \<AG> \<AG> p" by (simp only: AG_AG)
e524119dbf19 * empty log message * bauerg parents: diff changeset	305	also have "\<AG> p \<subseteq> \<AX> p" by (rule AG_AX)
e524119dbf19 * empty log message * bauerg parents: diff changeset	306	also note AG_mono
e524119dbf19 * empty log message * bauerg parents: diff changeset	307	ultimately have "\<AG> p \<subseteq> \<AG> \<AX> p" .
e524119dbf19 * empty log message * bauerg parents: diff changeset	308	}
e524119dbf19 * empty log message * bauerg parents: diff changeset	309	ultimately show "\<AG> p \<subseteq> ?lhs" ..
e524119dbf19 * empty log message * bauerg parents: diff changeset	310	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	311	finally show ?thesis .
e524119dbf19 * empty log message * bauerg parents: diff changeset	312	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	313
e524119dbf19 * empty log message * bauerg parents: diff changeset	314	end

author	wenzelm
	Sat, 26 Dec 2015 16:10:00 +0100
changeset 61934	02610a806467
parent 61933	cf58b5b794b2
child 63054	1b237d147cc4
permissions	-rw-r--r--