isabelle: src/HOL/ex/CTL.thy@3897988917a3 (annotated)

15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	1	(* Title: HOL/ex/CTL.thy
e524119dbf19 * empty log message * bauerg parents: diff changeset	2	ID: $Id$
e524119dbf19 * empty log message * bauerg parents: diff changeset	3	Author: Gertrud Bauer
e524119dbf19 * empty log message * bauerg parents: diff changeset	4	*)
e524119dbf19 * empty log message * bauerg parents: diff changeset	5
e524119dbf19 * empty log message * bauerg parents: diff changeset	6	header {* CTL formulae *}
e524119dbf19 * empty log message * bauerg parents: diff changeset	7
16417 9bc16273c2d4 migrated theory headers to new format haftmann parents: 15871 diff changeset	8	theory CTL imports Main begin
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	9
e524119dbf19 * empty log message * bauerg parents: diff changeset	10	text {*
e524119dbf19 * empty log message * bauerg parents: diff changeset	11	We formalize basic concepts of Computational Tree Logic (CTL)
e524119dbf19 * empty log message * bauerg parents: diff changeset	12	\cite{McMillan-PhDThesis,McMillan-LectureNotes} within the
e524119dbf19 * empty log message * bauerg parents: diff changeset	13	simply-typed set theory of HOL.
e524119dbf19 * empty log message * bauerg parents: diff changeset	14
e524119dbf19 * empty log message * bauerg parents: diff changeset	15	By using the common technique of ``shallow embedding'', a CTL
e524119dbf19 * empty log message * bauerg parents: diff changeset	16	formula is identified with the corresponding set of states where it
e524119dbf19 * empty log message * bauerg parents: diff changeset	17	holds. Consequently, CTL operations such as negation, conjunction,
e524119dbf19 * empty log message * bauerg parents: diff changeset	18	disjunction simply become complement, intersection, union of sets.
e524119dbf19 * empty log message * bauerg parents: diff changeset	19	We only require a separate operation for implication, as point-wise
e524119dbf19 * empty log message * bauerg parents: diff changeset	20	inclusion is usually not encountered in plain set-theory.
e524119dbf19 * empty log message * bauerg parents: diff changeset	21	*}
e524119dbf19 * empty log message * bauerg parents: diff changeset	22
e524119dbf19 * empty log message * bauerg parents: diff changeset	23	lemmas [intro!] = Int_greatest Un_upper2 Un_upper1 Int_lower1 Int_lower2
e524119dbf19 * empty log message * bauerg parents: diff changeset	24
e524119dbf19 * empty log message * bauerg parents: diff changeset	25	types 'a ctl = "'a set"
20807 bd3b60f9a343 tuned; wenzelm parents: 17388 diff changeset	26
bd3b60f9a343 tuned; wenzelm parents: 17388 diff changeset	27	definition
21404 eb85850d3eb7 more robust syntax for definition/abbreviation/notation; wenzelm parents: 21312 diff changeset	28	imp :: "'a ctl \<Rightarrow> 'a ctl \<Rightarrow> 'a ctl" (infixr "\<rightarrow>" 75) where
20807 bd3b60f9a343 tuned; wenzelm parents: 17388 diff changeset	29	"p \<rightarrow> q = - p \<union> q"
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	30
20807 bd3b60f9a343 tuned; wenzelm parents: 17388 diff changeset	31	lemma [intro!]: "p \<inter> p \<rightarrow> q \<subseteq> q" unfolding imp_def by auto
bd3b60f9a343 tuned; wenzelm parents: 17388 diff changeset	32	lemma [intro!]: "p \<subseteq> (q \<rightarrow> p)" unfolding imp_def by rule
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	33
e524119dbf19 * empty log message * bauerg parents: diff changeset	34
e524119dbf19 * empty log message * bauerg parents: diff changeset	35	text {*
e524119dbf19 * empty log message * bauerg parents: diff changeset	36	\smallskip The CTL path operators are more interesting; they are
e524119dbf19 * empty log message * bauerg parents: diff changeset	37	based on an arbitrary, but fixed model @{text \<M>}, which is simply
e524119dbf19 * empty log message * bauerg parents: diff changeset	38	a transition relation over states @{typ "'a"}.
e524119dbf19 * empty log message * bauerg parents: diff changeset	39	*}
e524119dbf19 * empty log message * bauerg parents: diff changeset	40
20807 bd3b60f9a343 tuned; wenzelm parents: 17388 diff changeset	41	axiomatization \<M> :: "('a \<times> 'a) set"
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	42
e524119dbf19 * empty log message * bauerg parents: diff changeset	43	text {*
e524119dbf19 * empty log message * bauerg parents: diff changeset	44	The operators @{text \<EX>}, @{text \<EF>}, @{text \<EG>} are taken
e524119dbf19 * empty log message * bauerg parents: diff changeset	45	as primitives, while @{text \<AX>}, @{text \<AF>}, @{text \<AG>} are
e524119dbf19 * empty log message * bauerg parents: diff changeset	46	defined as derived ones. The formula @{text "\<EX> p"} holds in a
e524119dbf19 * empty log message * bauerg parents: diff changeset	47	state @{term s}, iff there is a successor state @{term s'} (with
e524119dbf19 * empty log message * bauerg parents: diff changeset	48	respect to the model @{term \<M>}), such that @{term p} holds in
e524119dbf19 * empty log message * bauerg parents: diff changeset	49	@{term s'}. The formula @{text "\<EF> p"} holds in a state @{term
e524119dbf19 * empty log message * bauerg parents: diff changeset	50	s}, iff there is a path in @{text \<M>}, starting from @{term s},
e524119dbf19 * empty log message * bauerg parents: diff changeset	51	such that there exists a state @{term s'} on the path, such that
e524119dbf19 * empty log message * bauerg parents: diff changeset	52	@{term p} holds in @{term s'}. The formula @{text "\<EG> p"} holds
e524119dbf19 * empty log message * bauerg parents: diff changeset	53	in a state @{term s}, iff there is a path, starting from @{term s},
e524119dbf19 * empty log message * bauerg parents: diff changeset	54	such that for all states @{term s'} on the path, @{term p} holds in
e524119dbf19 * empty log message * bauerg parents: diff changeset	55	@{term s'}. It is easy to see that @{text "\<EF> p"} and @{text
e524119dbf19 * empty log message * bauerg parents: diff changeset	56	"\<EG> p"} may be expressed using least and greatest fixed points
e524119dbf19 * empty log message * bauerg parents: diff changeset	57	\cite{McMillan-PhDThesis}.
e524119dbf19 * empty log message * bauerg parents: diff changeset	58	*}
e524119dbf19 * empty log message * bauerg parents: diff changeset	59
20807 bd3b60f9a343 tuned; wenzelm parents: 17388 diff changeset	60	definition
21404 eb85850d3eb7 more robust syntax for definition/abbreviation/notation; wenzelm parents: 21312 diff changeset	61	EX ("\<EX> _" [80] 90) where "\<EX> p = {s. \<exists>s'. (s, s') \<in> \<M> \<and> s' \<in> p}"
eb85850d3eb7 more robust syntax for definition/abbreviation/notation; wenzelm parents: 21312 diff changeset	62	definition
eb85850d3eb7 more robust syntax for definition/abbreviation/notation; wenzelm parents: 21312 diff changeset	63	EF ("\<EF> _" [80] 90) where "\<EF> p = lfp (\<lambda>s. p \<union> \<EX> s)"
eb85850d3eb7 more robust syntax for definition/abbreviation/notation; wenzelm parents: 21312 diff changeset	64	definition
eb85850d3eb7 more robust syntax for definition/abbreviation/notation; wenzelm parents: 21312 diff changeset	65	EG ("\<EG> _" [80] 90) where "\<EG> p = gfp (\<lambda>s. p \<inter> \<EX> s)"
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	66
e524119dbf19 * empty log message * bauerg parents: diff changeset	67	text {*
e524119dbf19 * empty log message * bauerg parents: diff changeset	68	@{text "\<AX>"}, @{text "\<AF>"} and @{text "\<AG>"} are now defined
e524119dbf19 * empty log message * bauerg parents: diff changeset	69	dually in terms of @{text "\<EX>"}, @{text "\<EF>"} and @{text
e524119dbf19 * empty log message * bauerg parents: diff changeset	70	"\<EG>"}.
e524119dbf19 * empty log message * bauerg parents: diff changeset	71	*}
e524119dbf19 * empty log message * bauerg parents: diff changeset	72
20807 bd3b60f9a343 tuned; wenzelm parents: 17388 diff changeset	73	definition
21404 eb85850d3eb7 more robust syntax for definition/abbreviation/notation; wenzelm parents: 21312 diff changeset	74	AX ("\<AX> _" [80] 90) where "\<AX> p = - \<EX> - p"
eb85850d3eb7 more robust syntax for definition/abbreviation/notation; wenzelm parents: 21312 diff changeset	75	definition
eb85850d3eb7 more robust syntax for definition/abbreviation/notation; wenzelm parents: 21312 diff changeset	76	AF ("\<AF> _" [80] 90) where "\<AF> p = - \<EG> - p"
eb85850d3eb7 more robust syntax for definition/abbreviation/notation; wenzelm parents: 21312 diff changeset	77	definition
eb85850d3eb7 more robust syntax for definition/abbreviation/notation; wenzelm parents: 21312 diff changeset	78	AG ("\<AG> _" [80] 90) where "\<AG> p = - \<EF> - p"
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	79
e524119dbf19 * empty log message * bauerg parents: diff changeset	80	lemmas [simp] = EX_def EG_def AX_def EF_def AF_def AG_def
e524119dbf19 * empty log message * bauerg parents: diff changeset	81
e524119dbf19 * empty log message * bauerg parents: diff changeset	82
23219 87ad6e8a5f2c tuned document; wenzelm parents: 21404 diff changeset	83	subsection {* Basic fixed point properties *}
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	84
e524119dbf19 * empty log message * bauerg parents: diff changeset	85	text {*
e524119dbf19 * empty log message * bauerg parents: diff changeset	86	First of all, we use the de-Morgan property of fixed points
e524119dbf19 * empty log message * bauerg parents: diff changeset	87	*}
e524119dbf19 * empty log message * bauerg parents: diff changeset	88
21026 3b2821e0d541 Adapted to changes in FixedPoint theory. berghofe parents: 20807 diff changeset	89	lemma lfp_gfp: "lfp f = - gfp (\<lambda>s::'a set. - (f (- s)))"
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	90	proof
e524119dbf19 * empty log message * bauerg parents: diff changeset	91	show "lfp f \<subseteq> - gfp (\<lambda>s. - f (- s))"
e524119dbf19 * empty log message * bauerg parents: diff changeset	92	proof
e524119dbf19 * empty log message * bauerg parents: diff changeset	93	fix x assume l: "x \<in> lfp f"
e524119dbf19 * empty log message * bauerg parents: diff changeset	94	show "x \<in> - gfp (\<lambda>s. - f (- s))"
e524119dbf19 * empty log message * bauerg parents: diff changeset	95	proof
e524119dbf19 * empty log message * bauerg parents: diff changeset	96	assume "x \<in> gfp (\<lambda>s. - f (- s))"
21026 3b2821e0d541 Adapted to changes in FixedPoint theory. berghofe parents: 20807 diff changeset	97	then obtain u where "x \<in> u" and "u \<subseteq> - f (- u)"
26813 6a4d5ca6d2e5 Rephrased calculational proofs to avoid problems with HO unification berghofe parents: 24345 diff changeset	98	by (auto simp add: gfp_def Sup_set_eq)
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	99	then have "f (- u) \<subseteq> - u" by auto
e524119dbf19 * empty log message * bauerg parents: diff changeset	100	then have "lfp f \<subseteq> - u" by (rule lfp_lowerbound)
e524119dbf19 * empty log message * bauerg parents: diff changeset	101	from l and this have "x \<notin> u" by auto
23389 aaca6a8e5414 tuned proofs: avoid implicit prems; wenzelm parents: 23219 diff changeset	102	with `x \<in> u` show False by contradiction
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	103	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	104	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	105	show "- gfp (\<lambda>s. - f (- s)) \<subseteq> lfp f"
e524119dbf19 * empty log message * bauerg parents: diff changeset	106	proof (rule lfp_greatest)
e524119dbf19 * empty log message * bauerg parents: diff changeset	107	fix u assume "f u \<subseteq> u"
e524119dbf19 * empty log message * bauerg parents: diff changeset	108	then have "- u \<subseteq> - f u" by auto
e524119dbf19 * empty log message * bauerg parents: diff changeset	109	then have "- u \<subseteq> - f (- (- u))" by simp
e524119dbf19 * empty log message * bauerg parents: diff changeset	110	then have "- u \<subseteq> gfp (\<lambda>s. - f (- s))" by (rule gfp_upperbound)
e524119dbf19 * empty log message * bauerg parents: diff changeset	111	then show "- gfp (\<lambda>s. - f (- s)) \<subseteq> u" by auto
e524119dbf19 * empty log message * bauerg parents: diff changeset	112	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	113	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	114
21026 3b2821e0d541 Adapted to changes in FixedPoint theory. berghofe parents: 20807 diff changeset	115	lemma lfp_gfp': "- lfp f = gfp (\<lambda>s::'a set. - (f (- s)))"
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	116	by (simp add: lfp_gfp)
e524119dbf19 * empty log message * bauerg parents: diff changeset	117
21026 3b2821e0d541 Adapted to changes in FixedPoint theory. berghofe parents: 20807 diff changeset	118	lemma gfp_lfp': "- gfp f = lfp (\<lambda>s::'a set. - (f (- s)))"
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	119	by (simp add: lfp_gfp)
e524119dbf19 * empty log message * bauerg parents: diff changeset	120
e524119dbf19 * empty log message * bauerg parents: diff changeset	121	text {*
e524119dbf19 * empty log message * bauerg parents: diff changeset	122	in order to give dual fixed point representations of @{term "AF p"}
e524119dbf19 * empty log message * bauerg parents: diff changeset	123	and @{term "AG p"}:
e524119dbf19 * empty log message * bauerg parents: diff changeset	124	*}
e524119dbf19 * empty log message * bauerg parents: diff changeset	125
e524119dbf19 * empty log message * bauerg parents: diff changeset	126	lemma AF_lfp: "\<AF> p = lfp (\<lambda>s. p \<union> \<AX> s)" by (simp add: lfp_gfp)
e524119dbf19 * empty log message * bauerg parents: diff changeset	127	lemma AG_gfp: "\<AG> p = gfp (\<lambda>s. p \<inter> \<AX> s)" by (simp add: lfp_gfp)
e524119dbf19 * empty log message * bauerg parents: diff changeset	128
e524119dbf19 * empty log message * bauerg parents: diff changeset	129	lemma EF_fp: "\<EF> p = p \<union> \<EX> \<EF> p"
e524119dbf19 * empty log message * bauerg parents: diff changeset	130	proof -
e524119dbf19 * empty log message * bauerg parents: diff changeset	131	have "mono (\<lambda>s. p \<union> \<EX> s)" by rule (auto simp add: EX_def)
e524119dbf19 * empty log message * bauerg parents: diff changeset	132	then show ?thesis by (simp only: EF_def) (rule lfp_unfold)
e524119dbf19 * empty log message * bauerg parents: diff changeset	133	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	134
e524119dbf19 * empty log message * bauerg parents: diff changeset	135	lemma AF_fp: "\<AF> p = p \<union> \<AX> \<AF> p"
e524119dbf19 * empty log message * bauerg parents: diff changeset	136	proof -
e524119dbf19 * empty log message * bauerg parents: diff changeset	137	have "mono (\<lambda>s. p \<union> \<AX> s)" by rule (auto simp add: AX_def EX_def)
e524119dbf19 * empty log message * bauerg parents: diff changeset	138	then show ?thesis by (simp only: AF_lfp) (rule lfp_unfold)
e524119dbf19 * empty log message * bauerg parents: diff changeset	139	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	140
e524119dbf19 * empty log message * bauerg parents: diff changeset	141	lemma EG_fp: "\<EG> p = p \<inter> \<EX> \<EG> p"
e524119dbf19 * empty log message * bauerg parents: diff changeset	142	proof -
e524119dbf19 * empty log message * bauerg parents: diff changeset	143	have "mono (\<lambda>s. p \<inter> \<EX> s)" by rule (auto simp add: EX_def)
e524119dbf19 * empty log message * bauerg parents: diff changeset	144	then show ?thesis by (simp only: EG_def) (rule gfp_unfold)
e524119dbf19 * empty log message * bauerg parents: diff changeset	145	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	146
e524119dbf19 * empty log message * bauerg parents: diff changeset	147	text {*
e524119dbf19 * empty log message * bauerg parents: diff changeset	148	From the greatest fixed point definition of @{term "\<AG> p"}, we
e524119dbf19 * empty log message * bauerg parents: diff changeset	149	derive as a consequence of the Knaster-Tarski theorem on the one
e524119dbf19 * empty log message * bauerg parents: diff changeset	150	hand that @{term "\<AG> p"} is a fixed point of the monotonic
e524119dbf19 * empty log message * bauerg parents: diff changeset	151	function @{term "\<lambda>s. p \<inter> \<AX> s"}.
e524119dbf19 * empty log message * bauerg parents: diff changeset	152	*}
e524119dbf19 * empty log message * bauerg parents: diff changeset	153
e524119dbf19 * empty log message * bauerg parents: diff changeset	154	lemma AG_fp: "\<AG> p = p \<inter> \<AX> \<AG> p"
e524119dbf19 * empty log message * bauerg parents: diff changeset	155	proof -
e524119dbf19 * empty log message * bauerg parents: diff changeset	156	have "mono (\<lambda>s. p \<inter> \<AX> s)" by rule (auto simp add: AX_def EX_def)
e524119dbf19 * empty log message * bauerg parents: diff changeset	157	then show ?thesis by (simp only: AG_gfp) (rule gfp_unfold)
e524119dbf19 * empty log message * bauerg parents: diff changeset	158	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	159
e524119dbf19 * empty log message * bauerg parents: diff changeset	160	text {*
e524119dbf19 * empty log message * bauerg parents: diff changeset	161	This fact may be split up into two inequalities (merely using
e524119dbf19 * empty log message * bauerg parents: diff changeset	162	transitivity of @{text "\<subseteq>" }, which is an instance of the overloaded
e524119dbf19 * empty log message * bauerg parents: diff changeset	163	@{text "\<le>"} in Isabelle/HOL).
e524119dbf19 * empty log message * bauerg parents: diff changeset	164	*}
e524119dbf19 * empty log message * bauerg parents: diff changeset	165
e524119dbf19 * empty log message * bauerg parents: diff changeset	166	lemma AG_fp_1: "\<AG> p \<subseteq> p"
e524119dbf19 * empty log message * bauerg parents: diff changeset	167	proof -
e524119dbf19 * empty log message * bauerg parents: diff changeset	168	note AG_fp also have "p \<inter> \<AX> \<AG> p \<subseteq> p" by auto
e524119dbf19 * empty log message * bauerg parents: diff changeset	169	finally show ?thesis .
e524119dbf19 * empty log message * bauerg parents: diff changeset	170	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	171
e524119dbf19 * empty log message * bauerg parents: diff changeset	172	lemma AG_fp_2: "\<AG> p \<subseteq> \<AX> \<AG> p"
e524119dbf19 * empty log message * bauerg parents: diff changeset	173	proof -
e524119dbf19 * empty log message * bauerg parents: diff changeset	174	note AG_fp also have "p \<inter> \<AX> \<AG> p \<subseteq> \<AX> \<AG> p" by auto
e524119dbf19 * empty log message * bauerg parents: diff changeset	175	finally show ?thesis .
e524119dbf19 * empty log message * bauerg parents: diff changeset	176	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	177
e524119dbf19 * empty log message * bauerg parents: diff changeset	178	text {*
e524119dbf19 * empty log message * bauerg parents: diff changeset	179	On the other hand, we have from the Knaster-Tarski fixed point
e524119dbf19 * empty log message * bauerg parents: diff changeset	180	theorem that any other post-fixed point of @{term "\<lambda>s. p \<inter> AX s"} is
e524119dbf19 * empty log message * bauerg parents: diff changeset	181	smaller than @{term "AG p"}. A post-fixed point is a set of states
e524119dbf19 * empty log message * bauerg parents: diff changeset	182	@{term q} such that @{term "q \<subseteq> p \<inter> AX q"}. This leads to the
e524119dbf19 * empty log message * bauerg parents: diff changeset	183	following co-induction principle for @{term "AG p"}.
e524119dbf19 * empty log message * bauerg parents: diff changeset	184	*}
e524119dbf19 * empty log message * bauerg parents: diff changeset	185
e524119dbf19 * empty log message * bauerg parents: diff changeset	186	lemma AG_I: "q \<subseteq> p \<inter> \<AX> q \<Longrightarrow> q \<subseteq> \<AG> p"
e524119dbf19 * empty log message * bauerg parents: diff changeset	187	by (simp only: AG_gfp) (rule gfp_upperbound)
e524119dbf19 * empty log message * bauerg parents: diff changeset	188
e524119dbf19 * empty log message * bauerg parents: diff changeset	189
23219 87ad6e8a5f2c tuned document; wenzelm parents: 21404 diff changeset	190	subsection {* The tree induction principle \label{sec:calc-ctl-tree-induct} *}
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	191
e524119dbf19 * empty log message * bauerg parents: diff changeset	192	text {*
e524119dbf19 * empty log message * bauerg parents: diff changeset	193	With the most basic facts available, we are now able to establish a
e524119dbf19 * empty log message * bauerg parents: diff changeset	194	few more interesting results, leading to the \emph{tree induction}
e524119dbf19 * empty log message * bauerg parents: diff changeset	195	principle for @{text AG} (see below). We will use some elementary
e524119dbf19 * empty log message * bauerg parents: diff changeset	196	monotonicity and distributivity rules.
e524119dbf19 * empty log message * bauerg parents: diff changeset	197	*}
e524119dbf19 * empty log message * bauerg parents: diff changeset	198
e524119dbf19 * empty log message * bauerg parents: diff changeset	199	lemma AX_int: "\<AX> (p \<inter> q) = \<AX> p \<inter> \<AX> q" by auto
e524119dbf19 * empty log message * bauerg parents: diff changeset	200	lemma AX_mono: "p \<subseteq> q \<Longrightarrow> \<AX> p \<subseteq> \<AX> q" by auto
e524119dbf19 * empty log message * bauerg parents: diff changeset	201	lemma AG_mono: "p \<subseteq> q \<Longrightarrow> \<AG> p \<subseteq> \<AG> q"
e524119dbf19 * empty log message * bauerg parents: diff changeset	202	by (simp only: AG_gfp, rule gfp_mono) auto
e524119dbf19 * empty log message * bauerg parents: diff changeset	203
e524119dbf19 * empty log message * bauerg parents: diff changeset	204	text {*
e524119dbf19 * empty log message * bauerg parents: diff changeset	205	The formula @{term "AG p"} implies @{term "AX p"} (we use
e524119dbf19 * empty log message * bauerg parents: diff changeset	206	substitution of @{text "\<subseteq>"} with monotonicity).
e524119dbf19 * empty log message * bauerg parents: diff changeset	207	*}
e524119dbf19 * empty log message * bauerg parents: diff changeset	208
e524119dbf19 * empty log message * bauerg parents: diff changeset	209	lemma AG_AX: "\<AG> p \<subseteq> \<AX> p"
e524119dbf19 * empty log message * bauerg parents: diff changeset	210	proof -
e524119dbf19 * empty log message * bauerg parents: diff changeset	211	have "\<AG> p \<subseteq> \<AX> \<AG> p" by (rule AG_fp_2)
e524119dbf19 * empty log message * bauerg parents: diff changeset	212	also have "\<AG> p \<subseteq> p" by (rule AG_fp_1) moreover note AX_mono
e524119dbf19 * empty log message * bauerg parents: diff changeset	213	finally show ?thesis .
e524119dbf19 * empty log message * bauerg parents: diff changeset	214	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	215
e524119dbf19 * empty log message * bauerg parents: diff changeset	216	text {*
e524119dbf19 * empty log message * bauerg parents: diff changeset	217	Furthermore we show idempotency of the @{text "\<AG>"} operator.
e524119dbf19 * empty log message * bauerg parents: diff changeset	218	The proof is a good example of how accumulated facts may get
e524119dbf19 * empty log message * bauerg parents: diff changeset	219	used to feed a single rule step.
e524119dbf19 * empty log message * bauerg parents: diff changeset	220	*}
e524119dbf19 * empty log message * bauerg parents: diff changeset	221
e524119dbf19 * empty log message * bauerg parents: diff changeset	222	lemma AG_AG: "\<AG> \<AG> p = \<AG> p"
e524119dbf19 * empty log message * bauerg parents: diff changeset	223	proof
e524119dbf19 * empty log message * bauerg parents: diff changeset	224	show "\<AG> \<AG> p \<subseteq> \<AG> p" by (rule AG_fp_1)
e524119dbf19 * empty log message * bauerg parents: diff changeset	225	next
e524119dbf19 * empty log message * bauerg parents: diff changeset	226	show "\<AG> p \<subseteq> \<AG> \<AG> p"
e524119dbf19 * empty log message * bauerg parents: diff changeset	227	proof (rule AG_I)
e524119dbf19 * empty log message * bauerg parents: diff changeset	228	have "\<AG> p \<subseteq> \<AG> p" ..
e524119dbf19 * empty log message * bauerg parents: diff changeset	229	moreover have "\<AG> p \<subseteq> \<AX> \<AG> p" by (rule AG_fp_2)
e524119dbf19 * empty log message * bauerg parents: diff changeset	230	ultimately show "\<AG> p \<subseteq> \<AG> p \<inter> \<AX> \<AG> p" ..
e524119dbf19 * empty log message * bauerg parents: diff changeset	231	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	232	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	233
e524119dbf19 * empty log message * bauerg parents: diff changeset	234	text {*
e524119dbf19 * empty log message * bauerg parents: diff changeset	235	\smallskip We now give an alternative characterization of the @{text
e524119dbf19 * empty log message * bauerg parents: diff changeset	236	"\<AG>"} operator, which describes the @{text "\<AG>"} operator in
e524119dbf19 * empty log message * bauerg parents: diff changeset	237	an ``operational'' way by tree induction: In a state holds @{term
e524119dbf19 * empty log message * bauerg parents: diff changeset	238	"AG p"} iff in that state holds @{term p}, and in all reachable
e524119dbf19 * empty log message * bauerg parents: diff changeset	239	states @{term s} follows from the fact that @{term p} holds in
e524119dbf19 * empty log message * bauerg parents: diff changeset	240	@{term s}, that @{term p} also holds in all successor states of
e524119dbf19 * empty log message * bauerg parents: diff changeset	241	@{term s}. We use the co-induction principle @{thm [source] AG_I}
e524119dbf19 * empty log message * bauerg parents: diff changeset	242	to establish this in a purely algebraic manner.
e524119dbf19 * empty log message * bauerg parents: diff changeset	243	*}
e524119dbf19 * empty log message * bauerg parents: diff changeset	244
e524119dbf19 * empty log message * bauerg parents: diff changeset	245	theorem AG_induct: "p \<inter> \<AG> (p \<rightarrow> \<AX> p) = \<AG> p"
e524119dbf19 * empty log message * bauerg parents: diff changeset	246	proof
e524119dbf19 * empty log message * bauerg parents: diff changeset	247	show "p \<inter> \<AG> (p \<rightarrow> \<AX> p) \<subseteq> \<AG> p" (is "?lhs \<subseteq> _")
e524119dbf19 * empty log message * bauerg parents: diff changeset	248	proof (rule AG_I)
e524119dbf19 * empty log message * bauerg parents: diff changeset	249	show "?lhs \<subseteq> p \<inter> \<AX> ?lhs"
e524119dbf19 * empty log message * bauerg parents: diff changeset	250	proof
e524119dbf19 * empty log message * bauerg parents: diff changeset	251	show "?lhs \<subseteq> p" ..
e524119dbf19 * empty log message * bauerg parents: diff changeset	252	show "?lhs \<subseteq> \<AX> ?lhs"
e524119dbf19 * empty log message * bauerg parents: diff changeset	253	proof -
e524119dbf19 * empty log message * bauerg parents: diff changeset	254	{
e524119dbf19 * empty log message * bauerg parents: diff changeset	255	have "\<AG> (p \<rightarrow> \<AX> p) \<subseteq> p \<rightarrow> \<AX> p" by (rule AG_fp_1)
26813 6a4d5ca6d2e5 Rephrased calculational proofs to avoid problems with HO unification berghofe parents: 24345 diff changeset	256	moreover have "p \<inter> p \<rightarrow> \<AX> p \<subseteq> \<AX> p" ..
6a4d5ca6d2e5 Rephrased calculational proofs to avoid problems with HO unification berghofe parents: 24345 diff changeset	257	ultimately have "?lhs \<subseteq> \<AX> p" by auto
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	258	}
e524119dbf19 * empty log message * bauerg parents: diff changeset	259	moreover
e524119dbf19 * empty log message * bauerg parents: diff changeset	260	{
e524119dbf19 * empty log message * bauerg parents: diff changeset	261	have "p \<inter> \<AG> (p \<rightarrow> \<AX> p) \<subseteq> \<AG> (p \<rightarrow> \<AX> p)" ..
e524119dbf19 * empty log message * bauerg parents: diff changeset	262	also have "\<dots> \<subseteq> \<AX> \<dots>" by (rule AG_fp_2)
e524119dbf19 * empty log message * bauerg parents: diff changeset	263	finally have "?lhs \<subseteq> \<AX> \<AG> (p \<rightarrow> \<AX> p)" .
e524119dbf19 * empty log message * bauerg parents: diff changeset	264	}
26813 6a4d5ca6d2e5 Rephrased calculational proofs to avoid problems with HO unification berghofe parents: 24345 diff changeset	265	ultimately have "?lhs \<subseteq> \<AX> p \<inter> \<AX> \<AG> (p \<rightarrow> \<AX> p)"
6a4d5ca6d2e5 Rephrased calculational proofs to avoid problems with HO unification berghofe parents: 24345 diff changeset	266	by (rule Int_greatest)
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	267	also have "\<dots> = \<AX> ?lhs" by (simp only: AX_int)
e524119dbf19 * empty log message * bauerg parents: diff changeset	268	finally show ?thesis .
e524119dbf19 * empty log message * bauerg parents: diff changeset	269	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	270	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	271	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	272	next
e524119dbf19 * empty log message * bauerg parents: diff changeset	273	show "\<AG> p \<subseteq> p \<inter> \<AG> (p \<rightarrow> \<AX> p)"
e524119dbf19 * empty log message * bauerg parents: diff changeset	274	proof
e524119dbf19 * empty log message * bauerg parents: diff changeset	275	show "\<AG> p \<subseteq> p" by (rule AG_fp_1)
e524119dbf19 * empty log message * bauerg parents: diff changeset	276	show "\<AG> p \<subseteq> \<AG> (p \<rightarrow> \<AX> p)"
e524119dbf19 * empty log message * bauerg parents: diff changeset	277	proof -
e524119dbf19 * empty log message * bauerg parents: diff changeset	278	have "\<AG> p = \<AG> \<AG> p" by (simp only: AG_AG)
e524119dbf19 * empty log message * bauerg parents: diff changeset	279	also have "\<AG> p \<subseteq> \<AX> p" by (rule AG_AX) moreover note AG_mono
e524119dbf19 * empty log message * bauerg parents: diff changeset	280	also have "\<AX> p \<subseteq> (p \<rightarrow> \<AX> p)" .. moreover note AG_mono
e524119dbf19 * empty log message * bauerg parents: diff changeset	281	finally show ?thesis .
e524119dbf19 * empty log message * bauerg parents: diff changeset	282	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	283	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	284	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	285
e524119dbf19 * empty log message * bauerg parents: diff changeset	286
23219 87ad6e8a5f2c tuned document; wenzelm parents: 21404 diff changeset	287	subsection {* An application of tree induction \label{sec:calc-ctl-commute} *}
15871 e524119dbf19 * empty log message * bauerg parents: diff changeset	288
e524119dbf19 * empty log message * bauerg parents: diff changeset	289	text {*
e524119dbf19 * empty log message * bauerg parents: diff changeset	290	Further interesting properties of CTL expressions may be
e524119dbf19 * empty log message * bauerg parents: diff changeset	291	demonstrated with the help of tree induction; here we show that
e524119dbf19 * empty log message * bauerg parents: diff changeset	292	@{text \<AX>} and @{text \<AG>} commute.
e524119dbf19 * empty log message * bauerg parents: diff changeset	293	*}
e524119dbf19 * empty log message * bauerg parents: diff changeset	294
e524119dbf19 * empty log message * bauerg parents: diff changeset	295	theorem AG_AX_commute: "\<AG> \<AX> p = \<AX> \<AG> p"
e524119dbf19 * empty log message * bauerg parents: diff changeset	296	proof -
e524119dbf19 * empty log message * bauerg parents: diff changeset	297	have "\<AG> \<AX> p = \<AX> p \<inter> \<AX> \<AG> \<AX> p" by (rule AG_fp)
e524119dbf19 * empty log message * bauerg parents: diff changeset	298	also have "\<dots> = \<AX> (p \<inter> \<AG> \<AX> p)" by (simp only: AX_int)
e524119dbf19 * empty log message * bauerg parents: diff changeset	299	also have "p \<inter> \<AG> \<AX> p = \<AG> p" (is "?lhs = _")
e524119dbf19 * empty log message * bauerg parents: diff changeset	300	proof
e524119dbf19 * empty log message * bauerg parents: diff changeset	301	have "\<AX> p \<subseteq> p \<rightarrow> \<AX> p" ..
e524119dbf19 * empty log message * bauerg parents: diff changeset	302	also have "p \<inter> \<AG> (p \<rightarrow> \<AX> p) = \<AG> p" by (rule AG_induct)
e524119dbf19 * empty log message * bauerg parents: diff changeset	303	also note Int_mono AG_mono
e524119dbf19 * empty log message * bauerg parents: diff changeset	304	ultimately show "?lhs \<subseteq> \<AG> p" by fast
e524119dbf19 * empty log message * bauerg parents: diff changeset	305	next
e524119dbf19 * empty log message * bauerg parents: diff changeset	306	have "\<AG> p \<subseteq> p" by (rule AG_fp_1)
e524119dbf19 * empty log message * bauerg parents: diff changeset	307	moreover
e524119dbf19 * empty log message * bauerg parents: diff changeset	308	{
e524119dbf19 * empty log message * bauerg parents: diff changeset	309	have "\<AG> p = \<AG> \<AG> p" by (simp only: AG_AG)
e524119dbf19 * empty log message * bauerg parents: diff changeset	310	also have "\<AG> p \<subseteq> \<AX> p" by (rule AG_AX)
e524119dbf19 * empty log message * bauerg parents: diff changeset	311	also note AG_mono
e524119dbf19 * empty log message * bauerg parents: diff changeset	312	ultimately have "\<AG> p \<subseteq> \<AG> \<AX> p" .
e524119dbf19 * empty log message * bauerg parents: diff changeset	313	}
e524119dbf19 * empty log message * bauerg parents: diff changeset	314	ultimately show "\<AG> p \<subseteq> ?lhs" ..
e524119dbf19 * empty log message * bauerg parents: diff changeset	315	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	316	finally show ?thesis .
e524119dbf19 * empty log message * bauerg parents: diff changeset	317	qed
e524119dbf19 * empty log message * bauerg parents: diff changeset	318
e524119dbf19 * empty log message * bauerg parents: diff changeset	319	end

author	huffman
	Tue, 01 Jul 2008 01:09:03 +0200
changeset 27406	3897988917a3
parent 26813	6a4d5ca6d2e5
child 32587	caa5ada96a00
permissions	-rw-r--r--