isabelle: doc-src/TutorialI/CTL/document/Base.tex@9469c039ff57 (annotated)

10123 9469c039ff57 * empty log message * nipkow parents: diff changeset	1	%
9469c039ff57 * empty log message * nipkow parents: diff changeset	2	\begin{isabellebody}%
9469c039ff57 * empty log message * nipkow parents: diff changeset	3	\def\isabellecontext{Base}%
9469c039ff57 * empty log message * nipkow parents: diff changeset	4	%
9469c039ff57 * empty log message * nipkow parents: diff changeset	5	\isamarkupsection{A verified model checker}
9469c039ff57 * empty log message * nipkow parents: diff changeset	6	%
9469c039ff57 * empty log message * nipkow parents: diff changeset	7	\begin{isamarkuptext}%
9469c039ff57 * empty log message * nipkow parents: diff changeset	8	Model checking is a very popular technique for the verification of finite
9469c039ff57 * empty log message * nipkow parents: diff changeset	9	state systems (implementations) w.r.t.\ temporal logic formulae
9469c039ff57 * empty log message * nipkow parents: diff changeset	10	(specifications) \cite{Clark}. Its foundations are completely set theoretic
9469c039ff57 * empty log message * nipkow parents: diff changeset	11	and this section shall develop them in HOL. This is done in two steps: first
9469c039ff57 * empty log message * nipkow parents: diff changeset	12	we consider a very simple ``temporal'' logic called propositional dynamic
9469c039ff57 * empty log message * nipkow parents: diff changeset	13	logic (PDL) which we then extend to the temporal logic CTL used in many real
9469c039ff57 * empty log message * nipkow parents: diff changeset	14	model checkers. In each case we give both a traditional semantics (\isa{{\isasymTurnstile}}) and a
9469c039ff57 * empty log message * nipkow parents: diff changeset	15	recursive function \isa{mc} that maps a formula into the set of all states of
9469c039ff57 * empty log message * nipkow parents: diff changeset	16	the system where the formula is valid. If the system has a finite number of
9469c039ff57 * empty log message * nipkow parents: diff changeset	17	states, \isa{mc} is directly executable, i.e.\ a model checker, albeit not a
9469c039ff57 * empty log message * nipkow parents: diff changeset	18	very efficient one. The main proof obligation is to show that the semantics
9469c039ff57 * empty log message * nipkow parents: diff changeset	19	and the model checker agree.
9469c039ff57 * empty log message * nipkow parents: diff changeset	20
9469c039ff57 * empty log message * nipkow parents: diff changeset	21	Our models are transition systems.
9469c039ff57 * empty log message * nipkow parents: diff changeset	22
9469c039ff57 * empty log message * nipkow parents: diff changeset	23	START with simple example: mutex or something.
9469c039ff57 * empty log message * nipkow parents: diff changeset	24
9469c039ff57 * empty log message * nipkow parents: diff changeset	25	Abstracting from this concrete example, we assume there is some type of
9469c039ff57 * empty log message * nipkow parents: diff changeset	26	atomic propositions%
9469c039ff57 * empty log message * nipkow parents: diff changeset	27	\end{isamarkuptext}%
9469c039ff57 * empty log message * nipkow parents: diff changeset	28	\isacommand{typedecl}\ atom%
9469c039ff57 * empty log message * nipkow parents: diff changeset	29	\begin{isamarkuptext}%
9469c039ff57 * empty log message * nipkow parents: diff changeset	30	\noindent
9469c039ff57 * empty log message * nipkow parents: diff changeset	31	which we merely declare rather than define because it is an implicit parameter of our model.
9469c039ff57 * empty log message * nipkow parents: diff changeset	32	Of course it would have been more generic to make \isa{atom} a type parameter of everything
9469c039ff57 * empty log message * nipkow parents: diff changeset	33	but fixing \isa{atom} as above reduces clutter.
9469c039ff57 * empty log message * nipkow parents: diff changeset	34
9469c039ff57 * empty log message * nipkow parents: diff changeset	35	Instead of introducing both a separate type of states and a function
9469c039ff57 * empty log message * nipkow parents: diff changeset	36	telling us which atoms are true in each state we simply identify each
9469c039ff57 * empty log message * nipkow parents: diff changeset	37	state with that set of atoms:%
9469c039ff57 * empty log message * nipkow parents: diff changeset	38	\end{isamarkuptext}%
9469c039ff57 * empty log message * nipkow parents: diff changeset	39	\isacommand{types}\ state\ {\isacharequal}\ {\isachardoublequote}atom\ set{\isachardoublequote}%
9469c039ff57 * empty log message * nipkow parents: diff changeset	40	\begin{isamarkuptext}%
9469c039ff57 * empty log message * nipkow parents: diff changeset	41	\noindent
9469c039ff57 * empty log message * nipkow parents: diff changeset	42	Finally we declare an arbitrary but fixed transition system, i.e.\ relation between states:%
9469c039ff57 * empty log message * nipkow parents: diff changeset	43	\end{isamarkuptext}%
9469c039ff57 * empty log message * nipkow parents: diff changeset	44	\isacommand{consts}\ M\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequote}{\isacharparenleft}state\ {\isasymtimes}\ state{\isacharparenright}set{\isachardoublequote}%
9469c039ff57 * empty log message * nipkow parents: diff changeset	45	\begin{isamarkuptext}%
9469c039ff57 * empty log message * nipkow parents: diff changeset	46	\noindent
9469c039ff57 * empty log message * nipkow parents: diff changeset	47	Again, we could have made \isa{M} a parameter of everything.%
9469c039ff57 * empty log message * nipkow parents: diff changeset	48	\end{isamarkuptext}%
9469c039ff57 * empty log message * nipkow parents: diff changeset	49	\end{isabellebody}%
9469c039ff57 * empty log message * nipkow parents: diff changeset	50	%%% Local Variables:
9469c039ff57 * empty log message * nipkow parents: diff changeset	51	%%% mode: latex
9469c039ff57 * empty log message * nipkow parents: diff changeset	52	%%% TeX-master: "root"
9469c039ff57 * empty log message * nipkow parents: diff changeset	53	%%% End:

author	nipkow
	Mon, 02 Oct 2000 14:32:33 +0200
changeset 10123	9469c039ff57
child 10133	e187dacd248f
permissions	-rw-r--r--