isabelle: src/HOL/CTL/CTL.thy@85b3735a51e1 (annotated)

11352 140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	1
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	2	theory CTL = Main:
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	3
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	4	section {* CTL formulae *}
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	5
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	6	text {*
11355 778c369559d9 tuned wenzelm parents: 11352 diff changeset	7	\tweakskip We formalize basic concepts of Computational Tree Logic
778c369559d9 tuned wenzelm parents: 11352 diff changeset	8	(CTL) \cite{McMillan-PhDThesis,McMillan-LectureNotes} within the
778c369559d9 tuned wenzelm parents: 11352 diff changeset	9	simply-typed set theory of HOL.
778c369559d9 tuned wenzelm parents: 11352 diff changeset	10
778c369559d9 tuned wenzelm parents: 11352 diff changeset	11	By using the common technique of ``shallow embedding'', a CTL
778c369559d9 tuned wenzelm parents: 11352 diff changeset	12	formula is identified with the corresponding set of states where it
778c369559d9 tuned wenzelm parents: 11352 diff changeset	13	holds. Consequently, CTL operations such as negation, conjunction,
778c369559d9 tuned wenzelm parents: 11352 diff changeset	14	disjunction simply become complement, intersection, union of sets.
778c369559d9 tuned wenzelm parents: 11352 diff changeset	15	We only require a separate operation for implication, as point-wise
778c369559d9 tuned wenzelm parents: 11352 diff changeset	16	inclusion is usually not encountered in plain set-theory.
11352 140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	17	*}
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	18
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	19	lemmas [intro!] = Int_greatest Un_upper2 Un_upper1 Int_lower1 Int_lower2
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	20
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	21	types 'a ctl = "'a set"
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	22	constdefs
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	23	imp :: "'a ctl \<Rightarrow> 'a ctl \<Rightarrow> 'a ctl" (infixr "\<rightarrow>" 75)
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	24	"p \<rightarrow> q \<equiv> - p \<union> q"
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	25
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	26	lemma [intro!]: "p \<inter> p \<rightarrow> q \<subseteq> q" by (unfold imp_def) auto
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	27	lemma [intro!]: "p \<subseteq> (q \<rightarrow> p)" by (unfold imp_def) rule
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	28
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	29
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	30	text {*
11355 778c369559d9 tuned wenzelm parents: 11352 diff changeset	31	\smallskip The CTL path operators are more interesting; they are
778c369559d9 tuned wenzelm parents: 11352 diff changeset	32	based on an arbitrary, but fixed model @{text \<M>}, which is simply
778c369559d9 tuned wenzelm parents: 11352 diff changeset	33	a transition relation over states @{typ "'a"}.
11352 140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	34	*}
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	35
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	36	consts model :: "('a \<times> 'a) set" ("\<M>")
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	37
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	38	text {*
11355 778c369559d9 tuned wenzelm parents: 11352 diff changeset	39	The operators @{text \<EX>}, @{text \<EF>}, @{text \<EG>} are taken
778c369559d9 tuned wenzelm parents: 11352 diff changeset	40	as primitives, while @{text \<AX>}, @{text \<AF>}, @{text \<AG>} are
11352 140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	41	defined as derived ones. The formula @{text "\<EX> p"} holds in a
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	42	state @{term s}, iff there is a successor state @{term s'} (with
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	43	respect to the model @{term \<M>}), such that @{term p} holds in
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	44	@{term s'}. The formula @{text "\<EF> p"} holds in a state @{term
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	45	s}, iff there is a path in @{text \<M>}, starting from @{term s},
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	46	such that there exists a state @{term s'} on the path, such that
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	47	@{term p} holds in @{term s'}. The formula @{text "\<EG> p"} holds
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	48	in a state @{term s}, iff there is a path, starting from @{term s},
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	49	such that for all states @{term s'} on the path, @{term p} holds in
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	50	@{term s'}. It is easy to see that @{text "\<EF> p"} and @{text
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	51	"\<EG> p"} may be expressed using least and greatest fixed points
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	52	\cite{McMillan-PhDThesis}.
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	53	*}
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	54
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	55	constdefs
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	56	EX :: "'a ctl \<Rightarrow> 'a ctl" ("\<EX> _" [80] 90) "\<EX> p \<equiv> {s. \<exists>s'. (s, s') \<in> \<M> \<and> s' \<in> p}"
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	57	EF :: "'a ctl \<Rightarrow> 'a ctl" ("\<EF> _" [80] 90) "\<EF> p \<equiv> lfp (\<lambda>s. p \<union> \<EX> s)"
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	58	EG :: "'a ctl \<Rightarrow> 'a ctl" ("\<EG> _" [80] 90) "\<EG> p \<equiv> gfp (\<lambda>s. p \<inter> \<EX> s)"
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	59
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	60	text {*
11355 778c369559d9 tuned wenzelm parents: 11352 diff changeset	61	@{text "\<AX>"}, @{text "\<AF>"} and @{text "\<AG>"} are now defined
778c369559d9 tuned wenzelm parents: 11352 diff changeset	62	dually in terms of @{text "\<EX>"}, @{text "\<EF>"} and @{text
778c369559d9 tuned wenzelm parents: 11352 diff changeset	63	"\<EG>"}.
11352 140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	64	*}
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	65
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	66	constdefs
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	67	AX :: "'a ctl \<Rightarrow> 'a ctl" ("\<AX> _" [80] 90) "\<AX> p \<equiv> - \<EX> - p"
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	68	AF :: "'a ctl \<Rightarrow> 'a ctl" ("\<AF> _" [80] 90) "\<AF> p \<equiv> - \<EG> - p"
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	69	AG :: "'a ctl \<Rightarrow> 'a ctl" ("\<AG> _" [80] 90) "\<AG> p \<equiv> - \<EF> - p"
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	70
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	71	lemmas [simp] = EX_def EG_def AX_def EF_def AF_def AG_def
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	72
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	73
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	74	section {* Basic fixed point properties *}
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	75
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	76	text {*
11355 778c369559d9 tuned wenzelm parents: 11352 diff changeset	77	\tweakskip First of all, we use the de-Morgan property of fixed
778c369559d9 tuned wenzelm parents: 11352 diff changeset	78	points
11352 140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	79	*}
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	80
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	81	lemma lfp_gfp: "lfp f = - gfp (\<lambda>s . - (f (- s)))"
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	82	proof
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	83	show "lfp f \<subseteq> - gfp (\<lambda>s. - f (- s))"
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	84	proof
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	85	fix x assume l: "x \<in> lfp f"
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	86	show "x \<in> - gfp (\<lambda>s. - f (- s))"
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	87	proof
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	88	assume "x \<in> gfp (\<lambda>s. - f (- s))"
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	89	then obtain u where "x \<in> u" and "u \<subseteq> - f (- u)" by (unfold gfp_def) auto
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	90	then have "f (- u) \<subseteq> - u" by auto
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	91	then have "lfp f \<subseteq> - u" by (rule lfp_lowerbound)
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	92	from l and this have "x \<notin> u" by auto
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	93	then show False by contradiction
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	94	qed
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	95	qed
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	96	show "- gfp (\<lambda>s. - f (- s)) \<subseteq> lfp f"
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	97	proof (rule lfp_greatest)
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	98	fix u assume "f u \<subseteq> u"
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	99	then have "- u \<subseteq> - f u" by auto
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	100	then have "- u \<subseteq> - f (- (- u))" by simp
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	101	then have "- u \<subseteq> gfp (\<lambda>s. - f (- s))" by (rule gfp_upperbound)
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	102	then show "- gfp (\<lambda>s. - f (- s)) \<subseteq> u" by auto
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	103	qed
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	104	qed
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	105
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	106	lemma lfp_gfp': "- lfp f = gfp (\<lambda>s. - (f (- s)))"
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	107	by (simp add: lfp_gfp)
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	108
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	109	lemma gfp_lfp': "- gfp f = lfp (\<lambda>s. - (f (- s)))"
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	110	by (simp add: lfp_gfp)
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	111
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	112	text {*
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	113	in order to give dual fixed point representations of @{term "AF p"}
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	114	and @{term "AG p"}:
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	115	*}
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	116
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	117	lemma AF_lfp: "\<AF> p = lfp (\<lambda>s. p \<union> \<AX> s)" by (simp add: lfp_gfp)
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	118	lemma AG_gfp: "\<AG> p = gfp (\<lambda>s. p \<inter> \<AX> s)" by (simp add: lfp_gfp)
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	119
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	120	lemma EF_fp: "\<EF> p = p \<union> \<EX> \<EF> p"
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	121	proof -
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	122	have "mono (\<lambda>s. p \<union> \<EX> s)" by rule (auto simp add: EX_def)
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	123	then show ?thesis by (simp only: EF_def) (rule lfp_unfold)
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	124	qed
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	125
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	126	lemma AF_fp: "\<AF> p = p \<union> \<AX> \<AF> p"
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	127	proof -
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	128	have "mono (\<lambda>s. p \<union> \<AX> s)" by rule (auto simp add: AX_def EX_def)
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	129	then show ?thesis by (simp only: AF_lfp) (rule lfp_unfold)
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	130	qed
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	131
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	132	lemma EG_fp: "\<EG> p = p \<inter> \<EX> \<EG> p"
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	133	proof -
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	134	have "mono (\<lambda>s. p \<inter> \<EX> s)" by rule (auto simp add: EX_def)
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	135	then show ?thesis by (simp only: EG_def) (rule gfp_unfold)
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	136	qed
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	137
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	138	text {*
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	139	From the greatest fixed point definition of @{term "\<AG> p"}, we
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	140	derive as a consequence of the Knaster-Tarski theorem on the one
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	141	hand that @{term "\<AG> p"} is a fixed point of the monotonic
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	142	function @{term "\<lambda>s. p \<inter> \<AX> s"}.
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	143	*}
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	144
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	145	lemma AG_fp: "\<AG> p = p \<inter> \<AX> \<AG> p"
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	146	proof -
11355 778c369559d9 tuned wenzelm parents: 11352 diff changeset	147	have "mono (\<lambda>s. p \<inter> \<AX> s)" by rule (auto simp add: AX_def EX_def)
778c369559d9 tuned wenzelm parents: 11352 diff changeset	148	then show ?thesis by (simp only: AG_gfp) (rule gfp_unfold)
11352 140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	149	qed
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	150
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	151	text {*
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	152	This fact may be split up into two inequalities (merely using
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	153	transitivity of @{text "\<subseteq>" }, which is an instance of the overloaded
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	154	@{text "\<le>"} in Isabelle/HOL).
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	155	*}
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	156
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	157	lemma AG_fp_1: "\<AG> p \<subseteq> p"
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	158	proof -
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	159	note AG_fp also have "p \<inter> \<AX> \<AG> p \<subseteq> p" by auto
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	160	finally show ?thesis .
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	161	qed
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	162
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	163	text {**}
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	164
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	165	lemma AG_fp_2: "\<AG> p \<subseteq> \<AX> \<AG> p"
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	166	proof -
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	167	note AG_fp also have "p \<inter> \<AX> \<AG> p \<subseteq> \<AX> \<AG> p" by auto
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	168	finally show ?thesis .
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	169	qed
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	170
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	171	text {*
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	172	On the other hand, we have from the Knaster-Tarski fixed point
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	173	theorem that any other post-fixed point of @{term "\<lambda>s. p \<inter> AX s"} is
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	174	smaller than @{term "AG p"}. A post-fixed point is a set of states
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	175	@{term q} such that @{term "q \<subseteq> p \<inter> AX q"}. This leads to the
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	176	following co-induction principle for @{term "AG p"}.
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	177	*}
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	178
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	179	lemma AG_I: "q \<subseteq> p \<inter> \<AX> q \<Longrightarrow> q \<subseteq> \<AG> p"
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	180	by (simp only: AG_gfp) (rule gfp_upperbound)
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	181
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	182
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	183	section {* The tree induction principle \label{sec:calc-ctl-tree-induct} *}
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	184
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	185	text {*
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	186	\tweakskip With the most basic facts available, we are now able to
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	187	establish a few more interesting results, leading to the \emph{tree
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	188	induction} principle for @{text AG} (see below). We will use some
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	189	elementary monotonicity and distributivity rules.
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	190	*}
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	191
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	192	lemma AX_int: "\<AX> (p \<inter> q) = \<AX> p \<inter> \<AX> q" by auto
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	193	lemma AX_mono: "p \<subseteq> q \<Longrightarrow> \<AX> p \<subseteq> \<AX> q" by auto
11355 778c369559d9 tuned wenzelm parents: 11352 diff changeset	194	lemma AG_mono: "p \<subseteq> q \<Longrightarrow> \<AG> p \<subseteq> \<AG> q"
778c369559d9 tuned wenzelm parents: 11352 diff changeset	195	by (simp only: AG_gfp, rule gfp_mono) auto
11352 140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	196
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	197	text {*
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	198	The formula @{term "AG p"} implies @{term "AX p"} (we use
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	199	substitution of @{text "\<subseteq>"} with monotonicity).
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	200	*}
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	201
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	202	lemma AG_AX: "\<AG> p \<subseteq> \<AX> p"
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	203	proof -
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	204	have "\<AG> p \<subseteq> \<AX> \<AG> p" by (rule AG_fp_2)
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	205	also have "\<AG> p \<subseteq> p" by (rule AG_fp_1) moreover note AX_mono
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	206	finally show ?thesis .
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	207	qed
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	208
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	209	text {*
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	210	Furthermore we show idempotency of the @{text "\<AG>"} operator.
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	211	The proof is a good example of how accumulated facts may get
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	212	used to feed a single rule step.
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	213	*}
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	214
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	215	lemma AG_AG: "\<AG> \<AG> p = \<AG> p"
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	216	proof
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	217	show "\<AG> \<AG> p \<subseteq> \<AG> p" by (rule AG_fp_1)
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	218	next
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	219	show "\<AG> p \<subseteq> \<AG> \<AG> p"
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	220	proof (rule AG_I)
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	221	have "\<AG> p \<subseteq> \<AG> p" ..
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	222	moreover have "\<AG> p \<subseteq> \<AX> \<AG> p" by (rule AG_fp_2)
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	223	ultimately show "\<AG> p \<subseteq> \<AG> p \<inter> \<AX> \<AG> p" ..
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	224	qed
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	225	qed
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	226
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	227	text {*
11355 778c369559d9 tuned wenzelm parents: 11352 diff changeset	228	\smallskip We now give an alternative characterization of the @{text
778c369559d9 tuned wenzelm parents: 11352 diff changeset	229	"\<AG>"} operator, which describes the @{text "\<AG>"} operator in
778c369559d9 tuned wenzelm parents: 11352 diff changeset	230	an ``operational'' way by tree induction: In a state holds @{term
778c369559d9 tuned wenzelm parents: 11352 diff changeset	231	"AG p"} iff in that state holds @{term p}, and in all reachable
778c369559d9 tuned wenzelm parents: 11352 diff changeset	232	states @{term s} follows from the fact that @{term p} holds in
778c369559d9 tuned wenzelm parents: 11352 diff changeset	233	@{term s}, that @{term p} also holds in all successor states of
778c369559d9 tuned wenzelm parents: 11352 diff changeset	234	@{term s}. We use the co-induction principle @{thm [source] AG_I}
778c369559d9 tuned wenzelm parents: 11352 diff changeset	235	to establish this in a purely algebraic manner.
11352 140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	236	*}
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	237
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	238	theorem AG_induct: "p \<inter> \<AG> (p \<rightarrow> \<AX> p) = \<AG> p"
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	239	proof
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	240	show "p \<inter> \<AG> (p \<rightarrow> \<AX> p) \<subseteq> \<AG> p" (is "?lhs \<subseteq> _")
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	241	proof (rule AG_I)
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	242	show "?lhs \<subseteq> p \<inter> \<AX> ?lhs"
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	243	proof
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	244	show "?lhs \<subseteq> p" ..
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	245	show "?lhs \<subseteq> \<AX> ?lhs"
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	246	proof -
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	247	{
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	248	have "\<AG> (p \<rightarrow> \<AX> p) \<subseteq> p \<rightarrow> \<AX> p" by (rule AG_fp_1)
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	249	also have "p \<inter> p \<rightarrow> \<AX> p \<subseteq> \<AX> p" ..
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	250	finally have "?lhs \<subseteq> \<AX> p" by auto
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	251	}
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	252	moreover
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	253	{
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	254	have "p \<inter> \<AG> (p \<rightarrow> \<AX> p) \<subseteq> \<AG> (p \<rightarrow> \<AX> p)" ..
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	255	also have "\<dots> \<subseteq> \<AX> \<dots>" by (rule AG_fp_2)
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	256	finally have "?lhs \<subseteq> \<AX> \<AG> (p \<rightarrow> \<AX> p)" .
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	257	}
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	258	ultimately have "?lhs \<subseteq> \<AX> p \<inter> \<AX> \<AG> (p \<rightarrow> \<AX> p)" ..
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	259	also have "\<dots> = \<AX> ?lhs" by (simp only: AX_int)
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	260	finally show ?thesis .
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	261	qed
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	262	qed
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	263	qed
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	264	next
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	265	show "\<AG> p \<subseteq> p \<inter> \<AG> (p \<rightarrow> \<AX> p)"
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	266	proof
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	267	show "\<AG> p \<subseteq> p" by (rule AG_fp_1)
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	268	show "\<AG> p \<subseteq> \<AG> (p \<rightarrow> \<AX> p)"
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	269	proof -
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	270	have "\<AG> p = \<AG> \<AG> p" by (simp only: AG_AG)
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	271	also have "\<AG> p \<subseteq> \<AX> p" by (rule AG_AX) moreover note AG_mono
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	272	also have "\<AX> p \<subseteq> (p \<rightarrow> \<AX> p)" .. moreover note AG_mono
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	273	finally show ?thesis .
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	274	qed
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	275	qed
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	276	qed
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	277
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	278
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	279	section {* An application of tree induction \label{sec:calc-ctl-commute} *}
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	280
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	281	text {*
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	282	\tweakskip Further interesting properties of CTL expressions may be
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	283	demonstrated with the help of tree induction; here we show that
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	284	@{text \<AX>} and @{text \<AG>} commute.
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	285	*}
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	286
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	287	theorem AG_AX_commute: "\<AG> \<AX> p = \<AX> \<AG> p"
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	288	proof -
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	289	have "\<AG> \<AX> p = \<AX> p \<inter> \<AX> \<AG> \<AX> p" by (rule AG_fp)
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	290	also have "\<dots> = \<AX> (p \<inter> \<AG> \<AX> p)" by (simp only: AX_int)
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	291	also have "p \<inter> \<AG> \<AX> p = \<AG> p" (is "?lhs = _")
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	292	proof
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	293	have "\<AX> p \<subseteq> p \<rightarrow> \<AX> p" ..
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	294	also have "p \<inter> \<AG> (p \<rightarrow> \<AX> p) = \<AG> p" by (rule AG_induct)
11758 b87aa292f50b fixed auto steps (due to changed atomize); wenzelm parents: 11355 diff changeset	295	also note Int_mono AG_mono
b87aa292f50b fixed auto steps (due to changed atomize); wenzelm parents: 11355 diff changeset	296	ultimately show "?lhs \<subseteq> \<AG> p" by fast
11352 140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	297	next
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	298	have "\<AG> p \<subseteq> p" by (rule AG_fp_1)
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	299	moreover
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	300	{
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	301	have "\<AG> p = \<AG> \<AG> p" by (simp only: AG_AG)
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	302	also have "\<AG> p \<subseteq> \<AX> p" by (rule AG_AX)
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	303	also note AG_mono
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	304	ultimately have "\<AG> p \<subseteq> \<AG> \<AX> p" .
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	305	}
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	306	ultimately show "\<AG> p \<subseteq> ?lhs" ..
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	307	qed
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	308	finally show ?thesis .
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	309	qed
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	310
140d55f5836d added HOL-CTL example; bauerg parents: diff changeset	311	end

author	kleing
	Mon, 15 Oct 2001 21:04:32 +0200
changeset 11787	85b3735a51e1
parent 11758	b87aa292f50b
child 11862	03801fd2f8fc
permissions	-rw-r--r--