isabelle: doc-src/TutorialI/CTL/Base.thy@9469c039ff57 (annotated)

10123 9469c039ff57 * empty log message * nipkow parents: diff changeset	1	(<)theory Base = Main:(>)
9469c039ff57 * empty log message * nipkow parents: diff changeset	2
9469c039ff57 * empty log message * nipkow parents: diff changeset	3	section{A verified model checker}
9469c039ff57 * empty log message * nipkow parents: diff changeset	4
9469c039ff57 * empty log message * nipkow parents: diff changeset	5	text{*
9469c039ff57 * empty log message * nipkow parents: diff changeset	6	Model checking is a very popular technique for the verification of finite
9469c039ff57 * empty log message * nipkow parents: diff changeset	7	state systems (implementations) w.r.t.\ temporal logic formulae
9469c039ff57 * empty log message * nipkow parents: diff changeset	8	(specifications) \cite{Clark}. Its foundations are completely set theoretic
9469c039ff57 * empty log message * nipkow parents: diff changeset	9	and this section shall develop them in HOL. This is done in two steps: first
9469c039ff57 * empty log message * nipkow parents: diff changeset	10	we consider a very simple ``temporal'' logic called propositional dynamic
9469c039ff57 * empty log message * nipkow parents: diff changeset	11	logic (PDL) which we then extend to the temporal logic CTL used in many real
9469c039ff57 * empty log message * nipkow parents: diff changeset	12	model checkers. In each case we give both a traditional semantics (@{text \<Turnstile>}) and a
9469c039ff57 * empty log message * nipkow parents: diff changeset	13	recursive function @{term mc} that maps a formula into the set of all states of
9469c039ff57 * empty log message * nipkow parents: diff changeset	14	the system where the formula is valid. If the system has a finite number of
9469c039ff57 * empty log message * nipkow parents: diff changeset	15	states, @{term mc} is directly executable, i.e.\ a model checker, albeit not a
9469c039ff57 * empty log message * nipkow parents: diff changeset	16	very efficient one. The main proof obligation is to show that the semantics
9469c039ff57 * empty log message * nipkow parents: diff changeset	17	and the model checker agree.
9469c039ff57 * empty log message * nipkow parents: diff changeset	18
9469c039ff57 * empty log message * nipkow parents: diff changeset	19	Our models are transition systems.
9469c039ff57 * empty log message * nipkow parents: diff changeset	20
9469c039ff57 * empty log message * nipkow parents: diff changeset	21	START with simple example: mutex or something.
9469c039ff57 * empty log message * nipkow parents: diff changeset	22
9469c039ff57 * empty log message * nipkow parents: diff changeset	23	Abstracting from this concrete example, we assume there is some type of
9469c039ff57 * empty log message * nipkow parents: diff changeset	24	atomic propositions
9469c039ff57 * empty log message * nipkow parents: diff changeset	25	*}
9469c039ff57 * empty log message * nipkow parents: diff changeset	26
9469c039ff57 * empty log message * nipkow parents: diff changeset	27	typedecl atom
9469c039ff57 * empty log message * nipkow parents: diff changeset	28
9469c039ff57 * empty log message * nipkow parents: diff changeset	29	text{*\noindent
9469c039ff57 * empty log message * nipkow parents: diff changeset	30	which we merely declare rather than define because it is an implicit parameter of our model.
9469c039ff57 * empty log message * nipkow parents: diff changeset	31	Of course it would have been more generic to make @{typ atom} a type parameter of everything
9469c039ff57 * empty log message * nipkow parents: diff changeset	32	but fixing @{typ atom} as above reduces clutter.
9469c039ff57 * empty log message * nipkow parents: diff changeset	33
9469c039ff57 * empty log message * nipkow parents: diff changeset	34	Instead of introducing both a separate type of states and a function
9469c039ff57 * empty log message * nipkow parents: diff changeset	35	telling us which atoms are true in each state we simply identify each
9469c039ff57 * empty log message * nipkow parents: diff changeset	36	state with that set of atoms:
9469c039ff57 * empty log message * nipkow parents: diff changeset	37	*}
9469c039ff57 * empty log message * nipkow parents: diff changeset	38
9469c039ff57 * empty log message * nipkow parents: diff changeset	39	types state = "atom set";
9469c039ff57 * empty log message * nipkow parents: diff changeset	40
9469c039ff57 * empty log message * nipkow parents: diff changeset	41	text{*\noindent
9469c039ff57 * empty log message * nipkow parents: diff changeset	42	Finally we declare an arbitrary but fixed transition system, i.e.\ relation between states:
9469c039ff57 * empty log message * nipkow parents: diff changeset	43	*}
9469c039ff57 * empty log message * nipkow parents: diff changeset	44
9469c039ff57 * empty log message * nipkow parents: diff changeset	45	consts M :: "(state \<times> state)set";
9469c039ff57 * empty log message * nipkow parents: diff changeset	46
9469c039ff57 * empty log message * nipkow parents: diff changeset	47	text{*\noindent
9469c039ff57 * empty log message * nipkow parents: diff changeset	48	Again, we could have made @{term M} a parameter of everything.
9469c039ff57 * empty log message * nipkow parents: diff changeset	49	*}
9469c039ff57 * empty log message * nipkow parents: diff changeset	50	(<)end(>)

author	nipkow
	Mon, 02 Oct 2000 14:32:33 +0200
changeset 10123	9469c039ff57
child 10133	e187dacd248f
permissions	-rw-r--r--