isabelle: doc-src/TutorialI/CTL/document/PDL.tex@96ca738055a6 (annotated)

10123 9469c039ff57 * empty log message * nipkow parents: diff changeset	1	%
9469c039ff57 * empty log message * nipkow parents: diff changeset	2	\begin{isabellebody}%
9469c039ff57 * empty log message * nipkow parents: diff changeset	3	\def\isabellecontext{PDL}%
17056 05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	4	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	5	\isadelimtheory
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	6	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	7	\endisadelimtheory
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	8	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	9	\isatagtheory
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	10	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	11	\endisatagtheory
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	12	{\isafoldtheory}%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	13	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	14	\isadelimtheory
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	15	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	16	\endisadelimtheory
10123 9469c039ff57 * empty log message * nipkow parents: diff changeset	17	%
10971 6852682eaf16 * empty log message * nipkow parents: 10950 diff changeset	18	\isamarkupsubsection{Propositional Dynamic Logic --- PDL%
10395 7ef380745743 updated; wenzelm parents: 10369 diff changeset	19	}
11866 fbd097aec213 updated; wenzelm parents: 11458 diff changeset	20	\isamarkuptrue%
10133 e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	21	%
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	22	\begin{isamarkuptext}%
10178 aecb5bf6f76f * empty log message * nipkow parents: 10171 diff changeset	23	\index{PDL\|(}
11458 09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	24	The formulae of PDL are built up from atomic propositions via
09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	25	negation and conjunction and the two temporal
09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	26	connectives \isa{AX} and \isa{EF}\@. Since formulae are essentially
09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	27	syntax trees, they are naturally modelled as a datatype:%
09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	28	\footnote{The customary definition of PDL
11207 08188224c24e * empty log message * nipkow parents: 10983 diff changeset	29	\cite{HarelKT-DL} looks quite different from ours, but the two are easily
11458 09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	30	shown to be equivalent.}%
10133 e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	31	\end{isamarkuptext}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	32	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	33	\isacommand{datatype}\isamarkupfalse%
18724 cb6e0064c88c quote "atom"; wenzelm parents: 17187 diff changeset	34	\ formula\ {\isacharequal}\ Atom\ {\isachardoublequoteopen}atom{\isachardoublequoteclose}\isanewline
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	35	\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isacharbar}\ Neg\ formula\isanewline
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	36	\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isacharbar}\ And\ formula\ formula\isanewline
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	37	\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isacharbar}\ AX\ formula\isanewline
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	38	\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isacharbar}\ EF\ formula%
10133 e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	39	\begin{isamarkuptext}%
e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	40	\noindent
11458 09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	41	This resembles the boolean expression case study in
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10839 diff changeset	42	\S\ref{sec:boolex}.
11458 09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	43	A validity relation between
09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	44	states and formulae specifies the semantics:%
10133 e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	45	\end{isamarkuptext}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	46	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	47	\isacommand{consts}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	48	\ valid\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}state\ {\isasymRightarrow}\ formula\ {\isasymRightarrow}\ bool{\isachardoublequoteclose}\ \ \ {\isacharparenleft}{\isachardoublequoteopen}{\isacharparenleft}{\isacharunderscore}\ {\isasymTurnstile}\ {\isacharunderscore}{\isacharparenright}{\isachardoublequoteclose}\ {\isacharbrackleft}{\isadigit{8}}{\isadigit{0}}{\isacharcomma}{\isadigit{8}}{\isadigit{0}}{\isacharbrackright}\ {\isadigit{8}}{\isadigit{0}}{\isacharparenright}%
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	49	\begin{isamarkuptext}%
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	50	\noindent
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10839 diff changeset	51	The syntax annotation allows us to write \isa{s\ {\isasymTurnstile}\ f} instead of
bda1701848cd lcp's suggestions for CTL paulson parents: 10839 diff changeset	52	\hbox{\isa{valid\ s\ f}}.
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	53	The definition of \isa{{\isasymTurnstile}} is by recursion over the syntax:%
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	54	\end{isamarkuptext}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	55	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	56	\isacommand{primrec}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	57	\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	58	{\isachardoublequoteopen}s\ {\isasymTurnstile}\ Atom\ a\ \ {\isacharequal}\ {\isacharparenleft}a\ {\isasymin}\ L\ s{\isacharparenright}{\isachardoublequoteclose}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	59	{\isachardoublequoteopen}s\ {\isasymTurnstile}\ Neg\ f\ \ \ {\isacharequal}\ {\isacharparenleft}{\isasymnot}{\isacharparenleft}s\ {\isasymTurnstile}\ f{\isacharparenright}{\isacharparenright}{\isachardoublequoteclose}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	60	{\isachardoublequoteopen}s\ {\isasymTurnstile}\ And\ f\ g\ {\isacharequal}\ {\isacharparenleft}s\ {\isasymTurnstile}\ f\ {\isasymand}\ s\ {\isasymTurnstile}\ g{\isacharparenright}{\isachardoublequoteclose}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	61	{\isachardoublequoteopen}s\ {\isasymTurnstile}\ AX\ f\ \ \ \ {\isacharequal}\ {\isacharparenleft}{\isasymforall}t{\isachardot}\ {\isacharparenleft}s{\isacharcomma}t{\isacharparenright}\ {\isasymin}\ M\ {\isasymlongrightarrow}\ t\ {\isasymTurnstile}\ f{\isacharparenright}{\isachardoublequoteclose}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	62	{\isachardoublequoteopen}s\ {\isasymTurnstile}\ EF\ f\ \ \ \ {\isacharequal}\ {\isacharparenleft}{\isasymexists}t{\isachardot}\ {\isacharparenleft}s{\isacharcomma}t{\isacharparenright}\ {\isasymin}\ M\isactrlsup {\isacharasterisk}\ {\isasymand}\ t\ {\isasymTurnstile}\ f{\isacharparenright}{\isachardoublequoteclose}%
10133 e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	63	\begin{isamarkuptext}%
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	64	\noindent
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	65	The first three equations should be self-explanatory. The temporal formula
10983 59961d32b1ae * empty log message * nipkow parents: 10971 diff changeset	66	\isa{AX\ f} means that \isa{f} is true in \emph{A}ll ne\emph{X}t states whereas
59961d32b1ae * empty log message * nipkow parents: 10971 diff changeset	67	\isa{EF\ f} means that there \emph{E}xists some \emph{F}uture state in which \isa{f} is
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10839 diff changeset	68	true. The future is expressed via \isa{\isactrlsup {\isacharasterisk}}, the reflexive transitive
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	69	closure. Because of reflexivity, the future includes the present.
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	70
10133 e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	71	Now we come to the model checker itself. It maps a formula into the set of
11458 09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	72	states where the formula is true. It too is defined by recursion over the syntax:%
10133 e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	73	\end{isamarkuptext}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	74	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	75	\isacommand{consts}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	76	\ mc\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}formula\ {\isasymRightarrow}\ state\ set{\isachardoublequoteclose}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	77	\isacommand{primrec}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	78	\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	79	{\isachardoublequoteopen}mc{\isacharparenleft}Atom\ a{\isacharparenright}\ \ {\isacharequal}\ {\isacharbraceleft}s{\isachardot}\ a\ {\isasymin}\ L\ s{\isacharbraceright}{\isachardoublequoteclose}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	80	{\isachardoublequoteopen}mc{\isacharparenleft}Neg\ f{\isacharparenright}\ \ \ {\isacharequal}\ {\isacharminus}mc\ f{\isachardoublequoteclose}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	81	{\isachardoublequoteopen}mc{\isacharparenleft}And\ f\ g{\isacharparenright}\ {\isacharequal}\ mc\ f\ {\isasyminter}\ mc\ g{\isachardoublequoteclose}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	82	{\isachardoublequoteopen}mc{\isacharparenleft}AX\ f{\isacharparenright}\ \ \ \ {\isacharequal}\ {\isacharbraceleft}s{\isachardot}\ {\isasymforall}t{\isachardot}\ {\isacharparenleft}s{\isacharcomma}t{\isacharparenright}\ {\isasymin}\ M\ \ {\isasymlongrightarrow}\ t\ {\isasymin}\ mc\ f{\isacharbraceright}{\isachardoublequoteclose}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	83	{\isachardoublequoteopen}mc{\isacharparenleft}EF\ f{\isacharparenright}\ \ \ \ {\isacharequal}\ lfp{\isacharparenleft}{\isasymlambda}T{\isachardot}\ mc\ f\ {\isasymunion}\ {\isacharparenleft}M{\isasyminverse}\ {\isacharbackquote}{\isacharbackquote}\ T{\isacharparenright}{\isacharparenright}{\isachardoublequoteclose}%
10133 e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	84	\begin{isamarkuptext}%
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	85	\noindent
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	86	Only the equation for \isa{EF} deserves some comments. Remember that the
10839 1f93f5a27de6 * empty log message * nipkow parents: 10801 diff changeset	87	postfix \isa{{\isasyminverse}} and the infix \isa{{\isacharbackquote}{\isacharbackquote}} are predefined and denote the
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10839 diff changeset	88	converse of a relation and the image of a set under a relation. Thus
10839 1f93f5a27de6 * empty log message * nipkow parents: 10801 diff changeset	89	\isa{M{\isasyminverse}\ {\isacharbackquote}{\isacharbackquote}\ T} is the set of all predecessors of \isa{T} and the least
1f93f5a27de6 * empty log message * nipkow parents: 10801 diff changeset	90	fixed point (\isa{lfp}) of \isa{{\isasymlambda}T{\isachardot}\ mc\ f\ {\isasymunion}\ M{\isasyminverse}\ {\isacharbackquote}{\isacharbackquote}\ T} is the least set
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	91	\isa{T} containing \isa{mc\ f} and all predecessors of \isa{T}. If you
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	92	find it hard to see that \isa{mc\ {\isacharparenleft}EF\ f{\isacharparenright}} contains exactly those states from
10983 59961d32b1ae * empty log message * nipkow parents: 10971 diff changeset	93	which there is a path to a state where \isa{f} is true, do not worry --- this
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	94	will be proved in a moment.
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	95
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10839 diff changeset	96	First we prove monotonicity of the function inside \isa{lfp}
bda1701848cd lcp's suggestions for CTL paulson parents: 10839 diff changeset	97	in order to make sure it really has a least fixed point.%
10133 e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	98	\end{isamarkuptext}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	99	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	100	\isacommand{lemma}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	101	\ mono{\isacharunderscore}ef{\isacharcolon}\ {\isachardoublequoteopen}mono{\isacharparenleft}{\isasymlambda}T{\isachardot}\ A\ {\isasymunion}\ {\isacharparenleft}M{\isasyminverse}\ {\isacharbackquote}{\isacharbackquote}\ T{\isacharparenright}{\isacharparenright}{\isachardoublequoteclose}\isanewline
17056 05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	102	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	103	\isadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	104	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	105	\endisadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	106	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	107	\isatagproof
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	108	\isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	109	{\isacharparenleft}rule\ monoI{\isacharparenright}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	110	\isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	111	\ blast\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	112	\isacommand{done}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	113	%
17056 05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	114	\endisatagproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	115	{\isafoldproof}%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	116	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	117	\isadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	118	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	119	\endisadelimproof
11866 fbd097aec213 updated; wenzelm parents: 11458 diff changeset	120	%
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	121	\begin{isamarkuptext}%
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	122	\noindent
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	123	Now we can relate model checking and semantics. For the \isa{EF} case we need
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	124	a separate lemma:%
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	125	\end{isamarkuptext}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	126	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	127	\isacommand{lemma}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	128	\ EF{\isacharunderscore}lemma{\isacharcolon}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	129	\ \ {\isachardoublequoteopen}lfp{\isacharparenleft}{\isasymlambda}T{\isachardot}\ A\ {\isasymunion}\ {\isacharparenleft}M{\isasyminverse}\ {\isacharbackquote}{\isacharbackquote}\ T{\isacharparenright}{\isacharparenright}\ {\isacharequal}\ {\isacharbraceleft}s{\isachardot}\ {\isasymexists}t{\isachardot}\ {\isacharparenleft}s{\isacharcomma}t{\isacharparenright}\ {\isasymin}\ M\isactrlsup {\isacharasterisk}\ {\isasymand}\ t\ {\isasymin}\ A{\isacharbraceright}{\isachardoublequoteclose}%
17056 05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	130	\isadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	131	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	132	\endisadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	133	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	134	\isatagproof
16069 3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	135	%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	136	\begin{isamarkuptxt}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	137	\noindent
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	138	The equality is proved in the canonical fashion by proving that each set
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	139	includes the other; the inclusion is shown pointwise:%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	140	\end{isamarkuptxt}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	141	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	142	\isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	143	{\isacharparenleft}rule\ equalityI{\isacharparenright}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	144	\ \isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	145	{\isacharparenleft}rule\ subsetI{\isacharparenright}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	146	\ \isacommand{apply}\isamarkupfalse%
17181 5f42dd5e6570 updated; wenzelm parents: 17175 diff changeset	147	{\isacharparenleft}simp{\isacharparenright}%
16069 3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	148	\begin{isamarkuptxt}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	149	\noindent
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	150	Simplification leaves us with the following first subgoal
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	151	\begin{isabelle}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	152	\ {\isadigit{1}}{\isachardot}\ {\isasymAnd}s{\isachardot}\ s\ {\isasymin}\ lfp\ {\isacharparenleft}{\isasymlambda}T{\isachardot}\ A\ {\isasymunion}\ M{\isasyminverse}\ {\isacharbackquote}{\isacharbackquote}\ T{\isacharparenright}\ {\isasymLongrightarrow}\ {\isasymexists}t{\isachardot}\ {\isacharparenleft}s{\isacharcomma}\ t{\isacharparenright}\ {\isasymin}\ M\isactrlsup {\isacharasterisk}\ {\isasymand}\ t\ {\isasymin}\ A%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	153	\end{isabelle}
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	154	which is proved by \isa{lfp}-induction:%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	155	\end{isamarkuptxt}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	156	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	157	\ \isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	158	{\isacharparenleft}erule\ lfp{\isacharunderscore}induct{\isacharparenright}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	159	\ \ \isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	160	{\isacharparenleft}rule\ mono{\isacharunderscore}ef{\isacharparenright}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	161	\ \isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	162	{\isacharparenleft}simp{\isacharparenright}%
16069 3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	163	\begin{isamarkuptxt}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	164	\noindent
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	165	Having disposed of the monotonicity subgoal,
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	166	simplification leaves us with the following goal:
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	167	\begin{isabelle}
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	168	\ {\isadigit{1}}{\isachardot}\ {\isasymAnd}x{\isachardot}\ x\ {\isasymin}\ A\ {\isasymor}\isanewline
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	169	\ \ \ \ \ \ \ \ \ x\ {\isasymin}\ M{\isasyminverse}\ {\isacharbackquote}{\isacharbackquote}\ {\isacharparenleft}lfp\ {\isacharparenleft}\dots{\isacharparenright}\ {\isasyminter}\ {\isacharbraceleft}x{\isachardot}\ {\isasymexists}t{\isachardot}\ {\isacharparenleft}x{\isacharcomma}\ t{\isacharparenright}\ {\isasymin}\ M\isactrlsup {\isacharasterisk}\ {\isasymand}\ t\ {\isasymin}\ A{\isacharbraceright}{\isacharparenright}\isanewline
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	170	\ \ \ \ \ \ \ \ {\isasymLongrightarrow}\ {\isasymexists}t{\isachardot}\ {\isacharparenleft}x{\isacharcomma}\ t{\isacharparenright}\ {\isasymin}\ M\isactrlsup {\isacharasterisk}\ {\isasymand}\ t\ {\isasymin}\ A
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	171	\end{isabelle}
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	172	It is proved by \isa{blast}, using the transitivity of
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	173	\isa{M\isactrlsup {\isacharasterisk}}.%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	174	\end{isamarkuptxt}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	175	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	176	\ \isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	177	{\isacharparenleft}blast\ intro{\isacharcolon}\ rtrancl{\isacharunderscore}trans{\isacharparenright}%
16069 3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	178	\begin{isamarkuptxt}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	179	We now return to the second set inclusion subgoal, which is again proved
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	180	pointwise:%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	181	\end{isamarkuptxt}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	182	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	183	\isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	184	{\isacharparenleft}rule\ subsetI{\isacharparenright}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	185	\isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	186	{\isacharparenleft}simp{\isacharcomma}\ clarify{\isacharparenright}%
16069 3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	187	\begin{isamarkuptxt}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	188	\noindent
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	189	After simplification and clarification we are left with
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	190	\begin{isabelle}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	191	\ {\isadigit{1}}{\isachardot}\ {\isasymAnd}x\ t{\isachardot}\ {\isasymlbrakk}{\isacharparenleft}x{\isacharcomma}\ t{\isacharparenright}\ {\isasymin}\ M\isactrlsup {\isacharasterisk}{\isacharsemicolon}\ t\ {\isasymin}\ A{\isasymrbrakk}\ {\isasymLongrightarrow}\ x\ {\isasymin}\ lfp\ {\isacharparenleft}{\isasymlambda}T{\isachardot}\ A\ {\isasymunion}\ M{\isasyminverse}\ {\isacharbackquote}{\isacharbackquote}\ T{\isacharparenright}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	192	\end{isabelle}
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	193	This goal is proved by induction on \isa{{\isacharparenleft}s{\isacharcomma}\ t{\isacharparenright}\ {\isasymin}\ M\isactrlsup {\isacharasterisk}}. But since the model
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	194	checker works backwards (from \isa{t} to \isa{s}), we cannot use the
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	195	induction theorem \isa{rtrancl{\isacharunderscore}induct}: it works in the
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	196	forward direction. Fortunately the converse induction theorem
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	197	\isa{converse{\isacharunderscore}rtrancl{\isacharunderscore}induct} already exists:
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	198	\begin{isabelle}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	199	\ \ \ \ \ {\isasymlbrakk}{\isacharparenleft}a{\isacharcomma}\ b{\isacharparenright}\ {\isasymin}\ r\isactrlsup {\isacharasterisk}{\isacharsemicolon}\ P\ b{\isacharsemicolon}\isanewline
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	200	\isaindent{\ \ \ \ \ \ }{\isasymAnd}y\ z{\isachardot}\ {\isasymlbrakk}{\isacharparenleft}y{\isacharcomma}\ z{\isacharparenright}\ {\isasymin}\ r{\isacharsemicolon}\ {\isacharparenleft}z{\isacharcomma}\ b{\isacharparenright}\ {\isasymin}\ r\isactrlsup {\isacharasterisk}{\isacharsemicolon}\ P\ z{\isasymrbrakk}\ {\isasymLongrightarrow}\ P\ y{\isasymrbrakk}\isanewline
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	201	\isaindent{\ \ \ \ \ }{\isasymLongrightarrow}\ P\ a%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	202	\end{isabelle}
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	203	It says that if \isa{{\isacharparenleft}a{\isacharcomma}\ b{\isacharparenright}\ {\isasymin}\ r\isactrlsup {\isacharasterisk}} and we know \isa{P\ b} then we can infer
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	204	\isa{P\ a} provided each step backwards from a predecessor \isa{z} of
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	205	\isa{b} preserves \isa{P}.%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	206	\end{isamarkuptxt}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	207	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	208	\isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	209	{\isacharparenleft}erule\ converse{\isacharunderscore}rtrancl{\isacharunderscore}induct{\isacharparenright}%
16069 3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	210	\begin{isamarkuptxt}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	211	\noindent
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	212	The base case
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	213	\begin{isabelle}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	214	\ {\isadigit{1}}{\isachardot}\ {\isasymAnd}x\ t{\isachardot}\ t\ {\isasymin}\ A\ {\isasymLongrightarrow}\ t\ {\isasymin}\ lfp\ {\isacharparenleft}{\isasymlambda}T{\isachardot}\ A\ {\isasymunion}\ M{\isasyminverse}\ {\isacharbackquote}{\isacharbackquote}\ T{\isacharparenright}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	215	\end{isabelle}
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	216	is solved by unrolling \isa{lfp} once%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	217	\end{isamarkuptxt}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	218	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	219	\ \isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	220	{\isacharparenleft}subst\ lfp{\isacharunderscore}unfold{\isacharbrackleft}OF\ mono{\isacharunderscore}ef{\isacharbrackright}{\isacharparenright}%
16069 3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	221	\begin{isamarkuptxt}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	222	\begin{isabelle}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	223	\ {\isadigit{1}}{\isachardot}\ {\isasymAnd}x\ t{\isachardot}\ t\ {\isasymin}\ A\ {\isasymLongrightarrow}\ t\ {\isasymin}\ A\ {\isasymunion}\ M{\isasyminverse}\ {\isacharbackquote}{\isacharbackquote}\ lfp\ {\isacharparenleft}{\isasymlambda}T{\isachardot}\ A\ {\isasymunion}\ M{\isasyminverse}\ {\isacharbackquote}{\isacharbackquote}\ T{\isacharparenright}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	224	\end{isabelle}
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	225	and disposing of the resulting trivial subgoal automatically:%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	226	\end{isamarkuptxt}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	227	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	228	\ \isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	229	{\isacharparenleft}blast{\isacharparenright}%
16069 3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	230	\begin{isamarkuptxt}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	231	\noindent
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	232	The proof of the induction step is identical to the one for the base case:%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	233	\end{isamarkuptxt}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	234	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	235	\isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	236	{\isacharparenleft}subst\ lfp{\isacharunderscore}unfold{\isacharbrackleft}OF\ mono{\isacharunderscore}ef{\isacharbrackright}{\isacharparenright}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	237	\isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	238	{\isacharparenleft}blast{\isacharparenright}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	239	\isacommand{done}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	240	%
17056 05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	241	\endisatagproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	242	{\isafoldproof}%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	243	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	244	\isadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	245	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	246	\endisadelimproof
11866 fbd097aec213 updated; wenzelm parents: 11458 diff changeset	247	%
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	248	\begin{isamarkuptext}%
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	249	The main theorem is proved in the familiar manner: induction followed by
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	250	\isa{auto} augmented with the lemma as a simplification rule.%
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	251	\end{isamarkuptext}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	252	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	253	\isacommand{theorem}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	254	\ {\isachardoublequoteopen}mc\ f\ {\isacharequal}\ {\isacharbraceleft}s{\isachardot}\ s\ {\isasymTurnstile}\ f{\isacharbraceright}{\isachardoublequoteclose}\isanewline
17056 05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	255	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	256	\isadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	257	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	258	\endisadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	259	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	260	\isatagproof
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	261	\isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	262	{\isacharparenleft}induct{\isacharunderscore}tac\ f{\isacharparenright}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	263	\isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	264	{\isacharparenleft}auto\ simp\ add{\isacharcolon}\ EF{\isacharunderscore}lemma{\isacharparenright}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	265	\isacommand{done}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	266	%
17056 05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	267	\endisatagproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	268	{\isafoldproof}%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	269	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	270	\isadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	271	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	272	\endisadelimproof
11866 fbd097aec213 updated; wenzelm parents: 11458 diff changeset	273	%
10171 59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	274	\begin{isamarkuptext}%
59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	275	\begin{exercise}
11458 09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	276	\isa{AX} has a dual operator \isa{EN}
09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	277	(``there exists a next state such that'')%
09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	278	\footnote{We cannot use the customary \isa{EX}: it is reserved
09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	279	as the \textsc{ascii}-equivalent of \isa{{\isasymexists}}.}
09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	280	with the intended semantics
10171 59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	281	\begin{isabelle}%
59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	282	\ \ \ \ \ s\ {\isasymTurnstile}\ EN\ f\ {\isacharequal}\ {\isacharparenleft}{\isasymexists}t{\isachardot}\ {\isacharparenleft}s{\isacharcomma}\ t{\isacharparenright}\ {\isasymin}\ M\ {\isasymand}\ t\ {\isasymTurnstile}\ f{\isacharparenright}%
59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	283	\end{isabelle}
59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	284	Fortunately, \isa{EN\ f} can already be expressed as a PDL formula. How?
59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	285
59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	286	Show that the semantics for \isa{EF} satisfies the following recursion equation:
59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	287	\begin{isabelle}%
59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	288	\ \ \ \ \ s\ {\isasymTurnstile}\ EF\ f\ {\isacharequal}\ {\isacharparenleft}s\ {\isasymTurnstile}\ f\ {\isasymor}\ s\ {\isasymTurnstile}\ EN\ {\isacharparenleft}EF\ f{\isacharparenright}{\isacharparenright}%
59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	289	\end{isabelle}
10178 aecb5bf6f76f * empty log message * nipkow parents: 10171 diff changeset	290	\end{exercise}
aecb5bf6f76f * empty log message * nipkow parents: 10171 diff changeset	291	\index{PDL\|)}%
10171 59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	292	\end{isamarkuptext}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	293	\isamarkuptrue%
17056 05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	294	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	295	\isadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	296	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	297	\endisadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	298	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	299	\isatagproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	300	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	301	\endisatagproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	302	{\isafoldproof}%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	303	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	304	\isadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	305	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	306	\endisadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	307	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	308	\isadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	309	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	310	\endisadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	311	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	312	\isatagproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	313	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	314	\endisatagproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	315	{\isafoldproof}%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	316	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	317	\isadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	318	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	319	\endisadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	320	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	321	\isadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	322	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	323	\endisadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	324	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	325	\isatagproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	326	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	327	\endisatagproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	328	{\isafoldproof}%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	329	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	330	\isadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	331	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	332	\endisadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	333	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	334	\isadelimtheory
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	335	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	336	\endisadelimtheory
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	337	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	338	\isatagtheory
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	339	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	340	\endisatagtheory
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	341	{\isafoldtheory}%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	342	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	343	\isadelimtheory
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	344	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	345	\endisadelimtheory
10171 59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	346	\end{isabellebody}%
10123 9469c039ff57 * empty log message * nipkow parents: diff changeset	347	%%% Local Variables:
9469c039ff57 * empty log message * nipkow parents: diff changeset	348	%%% mode: latex
9469c039ff57 * empty log message * nipkow parents: diff changeset	349	%%% TeX-master: "root"
9469c039ff57 * empty log message * nipkow parents: diff changeset	350	%%% End:

author	paulson
	Tue, 28 Mar 2006 16:48:18 +0200
changeset 19334	96ca738055a6
parent 18724	cb6e0064c88c
child 21261	58223c67fd8b
permissions	-rw-r--r--