isabelle: doc-src/TutorialI/CTL/Base.thy@499637e8f2c6 (annotated)

10123 9469c039ff57 * empty log message * nipkow parents: diff changeset	1	(<)theory Base = Main:(>)
9469c039ff57 * empty log message * nipkow parents: diff changeset	2
10186 499637e8f2c6 * empty log message * nipkow parents: 10178 diff changeset	3	section{Case study: Verified model checkers}
10123 9469c039ff57 * empty log message * nipkow parents: diff changeset	4
9469c039ff57 * empty log message * nipkow parents: diff changeset	5	text{*
9469c039ff57 * empty log message * nipkow parents: diff changeset	6	Model checking is a very popular technique for the verification of finite
9469c039ff57 * empty log message * nipkow parents: diff changeset	7	state systems (implementations) w.r.t.\ temporal logic formulae
10186 499637e8f2c6 * empty log message * nipkow parents: 10178 diff changeset	8	(specifications) \cite{Clarke,Huth-Ryan-book}. Its foundations are completely set theoretic
499637e8f2c6 * empty log message * nipkow parents: 10178 diff changeset	9	and this section shall explore them a little in HOL. This is done in two steps: first
10178 aecb5bf6f76f * empty log message * nipkow parents: 10133 diff changeset	10	we consider a simple modal logic called propositional dynamic
10123 9469c039ff57 * empty log message * nipkow parents: diff changeset	11	logic (PDL) which we then extend to the temporal logic CTL used in many real
9469c039ff57 * empty log message * nipkow parents: diff changeset	12	model checkers. In each case we give both a traditional semantics (@{text \<Turnstile>}) and a
9469c039ff57 * empty log message * nipkow parents: diff changeset	13	recursive function @{term mc} that maps a formula into the set of all states of
9469c039ff57 * empty log message * nipkow parents: diff changeset	14	the system where the formula is valid. If the system has a finite number of
9469c039ff57 * empty log message * nipkow parents: diff changeset	15	states, @{term mc} is directly executable, i.e.\ a model checker, albeit not a
9469c039ff57 * empty log message * nipkow parents: diff changeset	16	very efficient one. The main proof obligation is to show that the semantics
9469c039ff57 * empty log message * nipkow parents: diff changeset	17	and the model checker agree.
9469c039ff57 * empty log message * nipkow parents: diff changeset	18
10133 e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	19	\underscoreon
10123 9469c039ff57 * empty log message * nipkow parents: diff changeset	20
10133 e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	21	Our models are \emph{transition systems}, i.e.\ sets of \emph{states} with
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	22	transitions between them, as shown in this simple example:
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	23	\begin{center}
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	24	\unitlength.5mm
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	25	\thicklines
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	26	\begin{picture}(100,60)
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	27	\put(50,50){\circle{20}}
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	28	\put(50,50){\makebox(0,0){$p,q$}}
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	29	\put(61,55){\makebox(0,0)[l]{$s_0$}}
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	30	\put(44,42){\vector(-1,-1){26}}
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	31	\put(16,18){\vector(1,1){26}}
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	32	\put(57,43){\vector(1,-1){26}}
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	33	\put(10,10){\circle{20}}
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	34	\put(10,10){\makebox(0,0){$q,r$}}
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	35	\put(-1,15){\makebox(0,0)[r]{$s_1$}}
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	36	\put(20,10){\vector(1,0){60}}
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	37	\put(90,10){\circle{20}}
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	38	\put(90,10){\makebox(0,0){$r$}}
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	39	\put(98, 5){\line(1,0){10}}
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	40	\put(108, 5){\line(0,1){10}}
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	41	\put(108,15){\vector(-1,0){10}}
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	42	\put(91,21){\makebox(0,0)[bl]{$s_2$}}
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	43	\end{picture}
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	44	\end{center}
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	45	Each state has a unique name or number ($s_0,s_1,s_2$), and in each
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	46	state certain \emph{atomic propositions} ($p,q,r$) are true.
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	47	The aim of temporal logic is to formalize statements such as ``there is no
10186 499637e8f2c6 * empty log message * nipkow parents: 10178 diff changeset	48	path starting from $s_2$ leading to a state where $p$ or $q$
499637e8f2c6 * empty log message * nipkow parents: 10178 diff changeset	49	are true'', which is true, and ``on all paths starting from $s_0$ $q$ is always true'',
499637e8f2c6 * empty log message * nipkow parents: 10178 diff changeset	50	which is false.
10123 9469c039ff57 * empty log message * nipkow parents: diff changeset	51
9469c039ff57 * empty log message * nipkow parents: diff changeset	52	Abstracting from this concrete example, we assume there is some type of
10133 e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	53	states
10123 9469c039ff57 * empty log message * nipkow parents: diff changeset	54	*}
9469c039ff57 * empty log message * nipkow parents: diff changeset	55
10133 e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	56	typedecl state
10123 9469c039ff57 * empty log message * nipkow parents: diff changeset	57
9469c039ff57 * empty log message * nipkow parents: diff changeset	58	text{*\noindent
10133 e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	59	which we merely declare rather than define because it is an implicit
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	60	parameter of our model. Of course it would have been more generic to make
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	61	@{typ state} a type parameter of everything but fixing @{typ state} as above
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	62	reduces clutter.
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	63	Similarly we declare an arbitrary but fixed transition system, i.e.\
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	64	relation between states:
10123 9469c039ff57 * empty log message * nipkow parents: diff changeset	65	*}
9469c039ff57 * empty log message * nipkow parents: diff changeset	66
9469c039ff57 * empty log message * nipkow parents: diff changeset	67	consts M :: "(state \<times> state)set";
9469c039ff57 * empty log message * nipkow parents: diff changeset	68
9469c039ff57 * empty log message * nipkow parents: diff changeset	69	text{*\noindent
9469c039ff57 * empty log message * nipkow parents: diff changeset	70	Again, we could have made @{term M} a parameter of everything.
10133 e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	71	Finally we introduce a type of atomic propositions
10123 9469c039ff57 * empty log message * nipkow parents: diff changeset	72	*}
10133 e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	73
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	74	typedecl atom
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	75
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	76	text{*\noindent
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	77	and a \emph{labelling function}
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	78	*}
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	79
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	80	consts L :: "state \<Rightarrow> atom set"
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	81
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	82	text{*\noindent
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	83	telling us which atomic propositions are true in each state.
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	84	*}
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	85
10123 9469c039ff57 * empty log message * nipkow parents: diff changeset	86	(<)end(>)

author	nipkow
	Wed, 11 Oct 2000 09:09:06 +0200
changeset 10186	499637e8f2c6
parent 10178	aecb5bf6f76f
child 10192	4c2584e23ade
permissions	-rw-r--r--