isabelle: src/Doc/Tutorial/CTL/PDL.thy@8b575e1fef3b (annotated)

17914 99ead7a7eb42 fix headers; wenzelm parents: 12815 diff changeset	1	(<)theory PDL imports Base begin(>)
9958 67f2920862c7 * empty log message * nipkow parents: diff changeset	2
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 61991 diff changeset	3	subsection\<open>Propositional Dynamic Logic --- PDL\<close>
9958 67f2920862c7 * empty log message * nipkow parents: diff changeset	4
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 61991 diff changeset	5	text\<open>\index{PDL\|(}
11458 09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	6	The formulae of PDL are built up from atomic propositions via
09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	7	negation and conjunction and the two temporal
69505 cc2d676d5395 isabelle update_cartouches -t; wenzelm parents: 67613 diff changeset	8	connectives \<open>AX\<close> and \<open>EF\<close>\@. Since formulae are essentially
11458 09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	9	syntax trees, they are naturally modelled as a datatype:%
09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	10	\footnote{The customary definition of PDL
76987 4c275405faae isabelle update -u cite; wenzelm parents: 69597 diff changeset	11	\<^cite>\<open>"HarelKT-DL"\<close> looks quite different from ours, but the two are easily
11458 09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	12	shown to be equivalent.}
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 61991 diff changeset	13	\<close>
9958 67f2920862c7 * empty log message * nipkow parents: diff changeset	14
18724 cb6e0064c88c quote "atom"; wenzelm parents: 17914 diff changeset	15	datatype formula = Atom "atom"
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	16	\| Neg formula
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	17	\| And formula formula
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	18	\| AX formula
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	19	\| EF formula
10133 e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	20
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 61991 diff changeset	21	text\<open>\noindent
11458 09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	22	This resembles the boolean expression case study in
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10839 diff changeset	23	\S\ref{sec:boolex}.
27015 f8537d69f514 * empty log message * nipkow parents: 21202 diff changeset	24	A validity relation between states and formulae specifies the semantics.
69505 cc2d676d5395 isabelle update_cartouches -t; wenzelm parents: 67613 diff changeset	25	The syntax annotation allows us to write \<open>s \<Turnstile> f\<close> instead of
cc2d676d5395 isabelle update_cartouches -t; wenzelm parents: 67613 diff changeset	26	\hbox{\<open>valid s f\<close>}. The definition is by recursion over the syntax:
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 61991 diff changeset	27	\<close>
10133 e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	28
80983 2cc651d3ce8e partial revert of d97fdabd9e2b, to build old documentation more reliably; wenzelm parents: 80914 diff changeset	29	primrec valid :: "state \<Rightarrow> formula \<Rightarrow> bool" ("(_ \<Turnstile> _)" [80,80] 80)
27015 f8537d69f514 * empty log message * nipkow parents: 21202 diff changeset	30	where
f8537d69f514 * empty log message * nipkow parents: 21202 diff changeset	31	"s \<Turnstile> Atom a = (a \<in> L s)" \|
f8537d69f514 * empty log message * nipkow parents: 21202 diff changeset	32	"s \<Turnstile> Neg f = (\<not>(s \<Turnstile> f))" \|
f8537d69f514 * empty log message * nipkow parents: 21202 diff changeset	33	"s \<Turnstile> And f g = (s \<Turnstile> f \<and> s \<Turnstile> g)" \|
f8537d69f514 * empty log message * nipkow parents: 21202 diff changeset	34	"s \<Turnstile> AX f = (\<forall>t. (s,t) \<in> M \<longrightarrow> t \<Turnstile> f)" \|
12631 7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	35	"s \<Turnstile> EF f = (\<exists>t. (s,t) \<in> M\<^sup>* \<and> t \<Turnstile> f)"
9958 67f2920862c7 * empty log message * nipkow parents: diff changeset	36
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 61991 diff changeset	37	text\<open>\noindent
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	38	The first three equations should be self-explanatory. The temporal formula
69597 ff784d5a5bfb isabelle update -u control_cartouches; wenzelm parents: 69505 diff changeset	39	\<^term>\<open>AX f\<close> means that \<^term>\<open>f\<close> is true in \emph{A}ll ne\emph{X}t states whereas
ff784d5a5bfb isabelle update -u control_cartouches; wenzelm parents: 69505 diff changeset	40	\<^term>\<open>EF f\<close> means that there \emph{E}xists some \emph{F}uture state in which \<^term>\<open>f\<close> is
69505 cc2d676d5395 isabelle update_cartouches -t; wenzelm parents: 67613 diff changeset	41	true. The future is expressed via \<open>\<^sup>*\<close>, the reflexive transitive
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	42	closure. Because of reflexivity, the future includes the present.
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	43
27015 f8537d69f514 * empty log message * nipkow parents: 21202 diff changeset	44	Now we come to the model checker itself. It maps a formula into the
f8537d69f514 * empty log message * nipkow parents: 21202 diff changeset	45	set of states where the formula is true. It too is defined by
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 61991 diff changeset	46	recursion over the syntax:\<close>
10133 e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	47
27015 f8537d69f514 * empty log message * nipkow parents: 21202 diff changeset	48	primrec mc :: "formula \<Rightarrow> state set" where
f8537d69f514 * empty log message * nipkow parents: 21202 diff changeset	49	"mc(Atom a) = {s. a \<in> L s}" \|
f8537d69f514 * empty log message * nipkow parents: 21202 diff changeset	50	"mc(Neg f) = -mc f" \|
f8537d69f514 * empty log message * nipkow parents: 21202 diff changeset	51	"mc(And f g) = mc f \<inter> mc g" \|
f8537d69f514 * empty log message * nipkow parents: 21202 diff changeset	52	"mc(AX f) = {s. \<forall>t. (s,t) \<in> M \<longrightarrow> t \<in> mc f}" \|
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10839 diff changeset	53	"mc(EF f) = lfp(\<lambda>T. mc f \<union> (M\<inverse> `` T))"
10133 e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	54
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 61991 diff changeset	55	text\<open>\noindent
69597 ff784d5a5bfb isabelle update -u control_cartouches; wenzelm parents: 69505 diff changeset	56	Only the equation for \<^term>\<open>EF\<close> deserves some comments. Remember that the
69505 cc2d676d5395 isabelle update_cartouches -t; wenzelm parents: 67613 diff changeset	57	postfix \<open>\<inverse>\<close> and the infix \<open>``\<close> are predefined and denote the
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10839 diff changeset	58	converse of a relation and the image of a set under a relation. Thus
69597 ff784d5a5bfb isabelle update -u control_cartouches; wenzelm parents: 69505 diff changeset	59	\<^term>\<open>M\<inverse> `` T\<close> is the set of all predecessors of \<^term>\<open>T\<close> and the least
ff784d5a5bfb isabelle update -u control_cartouches; wenzelm parents: 69505 diff changeset	60	fixed point (\<^term>\<open>lfp\<close>) of \<^term>\<open>\<lambda>T. mc f \<union> M\<inverse> `` T\<close> is the least set
ff784d5a5bfb isabelle update -u control_cartouches; wenzelm parents: 69505 diff changeset	61	\<^term>\<open>T\<close> containing \<^term>\<open>mc f\<close> and all predecessors of \<^term>\<open>T\<close>. If you
ff784d5a5bfb isabelle update -u control_cartouches; wenzelm parents: 69505 diff changeset	62	find it hard to see that \<^term>\<open>mc(EF f)\<close> contains exactly those states from
ff784d5a5bfb isabelle update -u control_cartouches; wenzelm parents: 69505 diff changeset	63	which there is a path to a state where \<^term>\<open>f\<close> is true, do not worry --- this
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	64	will be proved in a moment.
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	65
69597 ff784d5a5bfb isabelle update -u control_cartouches; wenzelm parents: 69505 diff changeset	66	First we prove monotonicity of the function inside \<^term>\<open>lfp\<close>
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10839 diff changeset	67	in order to make sure it really has a least fixed point.
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 61991 diff changeset	68	\<close>
10133 e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	69
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10839 diff changeset	70	lemma mono_ef: "mono(\<lambda>T. A \<union> (M\<inverse> `` T))"
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	71	apply(rule monoI)
10159 a72ddfdbfca0 * empty log message * nipkow parents: 10149 diff changeset	72	apply blast
a72ddfdbfca0 * empty log message * nipkow parents: 10149 diff changeset	73	done
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	74
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 61991 diff changeset	75	text\<open>\noindent
69505 cc2d676d5395 isabelle update_cartouches -t; wenzelm parents: 67613 diff changeset	76	Now we can relate model checking and semantics. For the \<open>EF\<close> case we need
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	77	a separate lemma:
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 61991 diff changeset	78	\<close>
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	79
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	80	lemma EF_lemma:
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10839 diff changeset	81	"lfp(\<lambda>T. A \<union> (M\<inverse> `` T)) = {s. \<exists>t. (s,t) \<in> M\<^sup>* \<and> t \<in> A}"
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	82
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 61991 diff changeset	83	txt\<open>\noindent
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	84	The equality is proved in the canonical fashion by proving that each set
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10839 diff changeset	85	includes the other; the inclusion is shown pointwise:
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 61991 diff changeset	86	\<close>
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	87
12631 7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	88	apply(rule equalityI)
7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	89	apply(rule subsetI)
10524 270b285d48ee * empty log message * nipkow parents: 10363 diff changeset	90	apply(simp)(<)apply(rename_tac s)(>)
10363 6e8002c1790e * empty log message * nipkow parents: 10242 diff changeset	91
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 61991 diff changeset	92	txt\<open>\noindent
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	93	Simplification leaves us with the following first subgoal
10363 6e8002c1790e * empty log message * nipkow parents: 10242 diff changeset	94	@{subgoals[display,indent=0,goals_limit=1]}
69597 ff784d5a5bfb isabelle update -u control_cartouches; wenzelm parents: 69505 diff changeset	95	which is proved by \<^term>\<open>lfp\<close>-induction:
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 61991 diff changeset	96	\<close>
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	97
21202 6649bf75b9dc Adapted to changes in FixedPoint theory. berghofe parents: 18724 diff changeset	98	apply(erule lfp_induct_set)
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	99	apply(rule mono_ef)
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	100	apply(simp)
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 61991 diff changeset	101	txt\<open>\noindent
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	102	Having disposed of the monotonicity subgoal,
11458 09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	103	simplification leaves us with the following goal:
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	104	\begin{isabelle}
10801 c00ac928fc6f * empty log message * nipkow parents: 10800 diff changeset	105	\ {\isadigit{1}}{\isachardot}\ {\isasymAnd}x{\isachardot}\ x\ {\isasymin}\ A\ {\isasymor}\isanewline
10895 79194f07d356 * empty log message * nipkow parents: 10867 diff changeset	106	\ \ \ \ \ \ \ \ \ x\ {\isasymin}\ M{\isasyminverse}\ {\isacharbackquote}{\isacharbackquote}\ {\isacharparenleft}lfp\ {\isacharparenleft}\dots{\isacharparenright}\ {\isasyminter}\ {\isacharbraceleft}x{\isachardot}\ {\isasymexists}t{\isachardot}\ {\isacharparenleft}x{\isacharcomma}\ t{\isacharparenright}\ {\isasymin}\ M\isactrlsup {\isacharasterisk}\ {\isasymand}\ t\ {\isasymin}\ A{\isacharbraceright}{\isacharparenright}\isanewline
10801 c00ac928fc6f * empty log message * nipkow parents: 10800 diff changeset	107	\ \ \ \ \ \ \ \ {\isasymLongrightarrow}\ {\isasymexists}t{\isachardot}\ {\isacharparenleft}x{\isacharcomma}\ t{\isacharparenright}\ {\isasymin}\ M\isactrlsup {\isacharasterisk}\ {\isasymand}\ t\ {\isasymin}\ A
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	108	\end{isabelle}
69505 cc2d676d5395 isabelle update_cartouches -t; wenzelm parents: 67613 diff changeset	109	It is proved by \<open>blast\<close>, using the transitivity of
11458 09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	110	\isa{M\isactrlsup {\isacharasterisk}}.
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 61991 diff changeset	111	\<close>
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	112
12631 7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	113	apply(blast intro: rtrancl_trans)
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	114
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 61991 diff changeset	115	txt\<open>
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10839 diff changeset	116	We now return to the second set inclusion subgoal, which is again proved
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	117	pointwise:
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 61991 diff changeset	118	\<close>
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	119
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	120	apply(rule subsetI)
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	121	apply(simp, clarify)
10363 6e8002c1790e * empty log message * nipkow parents: 10242 diff changeset	122
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 61991 diff changeset	123	txt\<open>\noindent
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	124	After simplification and clarification we are left with
10363 6e8002c1790e * empty log message * nipkow parents: 10242 diff changeset	125	@{subgoals[display,indent=0,goals_limit=1]}
69597 ff784d5a5bfb isabelle update -u control_cartouches; wenzelm parents: 69505 diff changeset	126	This goal is proved by induction on \<^term>\<open>(s,t)\<in>M\<^sup>*\<close>. But since the model
ff784d5a5bfb isabelle update -u control_cartouches; wenzelm parents: 69505 diff changeset	127	checker works backwards (from \<^term>\<open>t\<close> to \<^term>\<open>s\<close>), we cannot use the
11458 09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	128	induction theorem @{thm[source]rtrancl_induct}: it works in the
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	129	forward direction. Fortunately the converse induction theorem
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	130	@{thm[source]converse_rtrancl_induct} already exists:
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	131	@{thm[display,margin=60]converse_rtrancl_induct[no_vars]}
69597 ff784d5a5bfb isabelle update -u control_cartouches; wenzelm parents: 69505 diff changeset	132	It says that if \<^prop>\<open>(a,b)\<in>r\<^sup>*\<close> and we know \<^prop>\<open>P b\<close> then we can infer
ff784d5a5bfb isabelle update -u control_cartouches; wenzelm parents: 69505 diff changeset	133	\<^prop>\<open>P a\<close> provided each step backwards from a predecessor \<^term>\<open>z\<close> of
ff784d5a5bfb isabelle update -u control_cartouches; wenzelm parents: 69505 diff changeset	134	\<^term>\<open>b\<close> preserves \<^term>\<open>P\<close>.
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 61991 diff changeset	135	\<close>
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	136
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	137	apply(erule converse_rtrancl_induct)
10363 6e8002c1790e * empty log message * nipkow parents: 10242 diff changeset	138
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 61991 diff changeset	139	txt\<open>\noindent
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	140	The base case
10363 6e8002c1790e * empty log message * nipkow parents: 10242 diff changeset	141	@{subgoals[display,indent=0,goals_limit=1]}
69597 ff784d5a5bfb isabelle update -u control_cartouches; wenzelm parents: 69505 diff changeset	142	is solved by unrolling \<^term>\<open>lfp\<close> once
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 61991 diff changeset	143	\<close>
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	144
11231 30d96882f915 * empty log message * nipkow parents: 11207 diff changeset	145	apply(subst lfp_unfold[OF mono_ef])
10363 6e8002c1790e * empty log message * nipkow parents: 10242 diff changeset	146
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 61991 diff changeset	147	txt\<open>
10363 6e8002c1790e * empty log message * nipkow parents: 10242 diff changeset	148	@{subgoals[display,indent=0,goals_limit=1]}
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	149	and disposing of the resulting trivial subgoal automatically:
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 61991 diff changeset	150	\<close>
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	151
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	152	apply(blast)
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	153
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 61991 diff changeset	154	txt\<open>\noindent
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	155	The proof of the induction step is identical to the one for the base case:
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 61991 diff changeset	156	\<close>
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	157
11231 30d96882f915 * empty log message * nipkow parents: 11207 diff changeset	158	apply(subst lfp_unfold[OF mono_ef])
10159 a72ddfdbfca0 * empty log message * nipkow parents: 10149 diff changeset	159	apply(blast)
a72ddfdbfca0 * empty log message * nipkow parents: 10149 diff changeset	160	done
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	161
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 61991 diff changeset	162	text\<open>
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	163	The main theorem is proved in the familiar manner: induction followed by
69505 cc2d676d5395 isabelle update_cartouches -t; wenzelm parents: 67613 diff changeset	164	\<open>auto\<close> augmented with the lemma as a simplification rule.
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 61991 diff changeset	165	\<close>
9958 67f2920862c7 * empty log message * nipkow parents: diff changeset	166
12631 7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	167	theorem "mc f = {s. s \<Turnstile> f}"
7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	168	apply(induct_tac f)
12815 1f073030b97a tuned; wenzelm parents: 12631 diff changeset	169	apply(auto simp add: EF_lemma)
12631 7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	170	done
10171 59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	171
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 61991 diff changeset	172	text\<open>
10171 59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	173	\begin{exercise}
69597 ff784d5a5bfb isabelle update -u control_cartouches; wenzelm parents: 69505 diff changeset	174	\<^term>\<open>AX\<close> has a dual operator \<^term>\<open>EN\<close>
11458 09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	175	(``there exists a next state such that'')%
69505 cc2d676d5395 isabelle update_cartouches -t; wenzelm parents: 67613 diff changeset	176	\footnote{We cannot use the customary \<open>EX\<close>: it is reserved
cc2d676d5395 isabelle update_cartouches -t; wenzelm parents: 67613 diff changeset	177	as the \textsc{ascii}-equivalent of \<open>\<exists>\<close>.}
11458 09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	178	with the intended semantics
67613 ce654b0e6d69 more symbols; wenzelm parents: 67406 diff changeset	179	@{prop[display]"(s \<Turnstile> EN f) = (\<exists>t. (s,t) \<in> M \<and> t \<Turnstile> f)"}
69597 ff784d5a5bfb isabelle update -u control_cartouches; wenzelm parents: 69505 diff changeset	180	Fortunately, \<^term>\<open>EN f\<close> can already be expressed as a PDL formula. How?
10171 59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	181
69597 ff784d5a5bfb isabelle update -u control_cartouches; wenzelm parents: 69505 diff changeset	182	Show that the semantics for \<^term>\<open>EF\<close> satisfies the following recursion equation:
10171 59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	183	@{prop[display]"(s \<Turnstile> EF f) = (s \<Turnstile> f \| s \<Turnstile> EN(EF f))"}
59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	184	\end{exercise}
10178 aecb5bf6f76f * empty log message * nipkow parents: 10171 diff changeset	185	\index{PDL\|)}
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 61991 diff changeset	186	\<close>
10171 59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	187	(<)
12631 7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	188	theorem main: "mc f = {s. s \<Turnstile> f}"
7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	189	apply(induct_tac f)
7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	190	apply(auto simp add: EF_lemma)
7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	191	done
10171 59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	192
67613 ce654b0e6d69 more symbols; wenzelm parents: 67406 diff changeset	193	lemma aux: "s \<Turnstile> f = (s \<in> mc f)"
12631 7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	194	apply(simp add: main)
7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	195	done
10171 59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	196
12631 7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	197	lemma "(s \<Turnstile> EF f) = (s \<Turnstile> f \| s \<Turnstile> Neg(AX(Neg(EF f))))"
7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	198	apply(simp only: aux)
7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	199	apply(simp)
7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	200	apply(subst lfp_unfold[OF mono_ef], fast)
10171 59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	201	done
59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	202
59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	203	end
59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	204	(>)

author	haftmann
	Sun, 06 Apr 2025 14:21:18 +0200
changeset 82452	8b575e1fef3b
parent 80983	2cc651d3ce8e
permissions	-rw-r--r--