author | wenzelm |
Wed, 27 Jul 2022 13:13:59 +0200 | |
changeset 75709 | a068fb7346ef |
parent 69597 | ff784d5a5bfb |
child 76987 | 4c275405faae |
permissions | -rw-r--r-- |
15871 | 1 |
(* Title: HOL/ex/CTL.thy |
2 |
Author: Gertrud Bauer |
|
3 |
*) |
|
4 |
||
61343 | 5 |
section \<open>CTL formulae\<close> |
15871 | 6 |
|
46685 | 7 |
theory CTL |
8 |
imports Main |
|
9 |
begin |
|
15871 | 10 |
|
61343 | 11 |
text \<open> |
61934 | 12 |
We formalize basic concepts of Computational Tree Logic (CTL) @{cite |
13 |
"McMillan-PhDThesis" and "McMillan-LectureNotes"} within the simply-typed |
|
14 |
set theory of HOL. |
|
15871 | 15 |
|
61934 | 16 |
By using the common technique of ``shallow embedding'', a CTL formula is |
17 |
identified with the corresponding set of states where it holds. |
|
18 |
Consequently, CTL operations such as negation, conjunction, disjunction |
|
19 |
simply become complement, intersection, union of sets. We only require a |
|
20 |
separate operation for implication, as point-wise inclusion is usually not |
|
21 |
encountered in plain set-theory. |
|
61343 | 22 |
\<close> |
15871 | 23 |
|
24 |
lemmas [intro!] = Int_greatest Un_upper2 Un_upper1 Int_lower1 Int_lower2 |
|
25 |
||
42463 | 26 |
type_synonym 'a ctl = "'a set" |
20807 | 27 |
|
63054 | 28 |
definition imp :: "'a ctl \<Rightarrow> 'a ctl \<Rightarrow> 'a ctl" (infixr "\<rightarrow>" 75) |
29 |
where "p \<rightarrow> q = - p \<union> q" |
|
15871 | 30 |
|
20807 | 31 |
lemma [intro!]: "p \<inter> p \<rightarrow> q \<subseteq> q" unfolding imp_def by auto |
32 |
lemma [intro!]: "p \<subseteq> (q \<rightarrow> p)" unfolding imp_def by rule |
|
15871 | 33 |
|
34 |
||
61343 | 35 |
text \<open> |
61934 | 36 |
\<^smallskip> |
37 |
The CTL path operators are more interesting; they are based on an arbitrary, |
|
38 |
but fixed model \<open>\<M>\<close>, which is simply a transition relation over states |
|
69597 | 39 |
\<^typ>\<open>'a\<close>. |
61343 | 40 |
\<close> |
15871 | 41 |
|
20807 | 42 |
axiomatization \<M> :: "('a \<times> 'a) set" |
15871 | 43 |
|
61343 | 44 |
text \<open> |
63055 | 45 |
The operators \<open>\<^bold>E\<^bold>X\<close>, \<open>\<^bold>E\<^bold>F\<close>, \<open>\<^bold>E\<^bold>G\<close> are taken as primitives, while \<open>\<^bold>A\<^bold>X\<close>, |
46 |
\<open>\<^bold>A\<^bold>F\<close>, \<open>\<^bold>A\<^bold>G\<close> are defined as derived ones. The formula \<open>\<^bold>E\<^bold>X p\<close> holds in a |
|
47 |
state \<open>s\<close>, iff there is a successor state \<open>s'\<close> (with respect to the model |
|
48 |
\<open>\<M>\<close>), such that \<open>p\<close> holds in \<open>s'\<close>. The formula \<open>\<^bold>E\<^bold>F p\<close> holds in a state |
|
49 |
\<open>s\<close>, iff there is a path in \<open>\<M>\<close>, starting from \<open>s\<close>, such that there exists a |
|
50 |
state \<open>s'\<close> on the path, such that \<open>p\<close> holds in \<open>s'\<close>. The formula \<open>\<^bold>E\<^bold>G p\<close> |
|
51 |
holds in a state \<open>s\<close>, iff there is a path, starting from \<open>s\<close>, such that for |
|
52 |
all states \<open>s'\<close> on the path, \<open>p\<close> holds in \<open>s'\<close>. It is easy to see that \<open>\<^bold>E\<^bold>F |
|
53 |
p\<close> and \<open>\<^bold>E\<^bold>G p\<close> may be expressed using least and greatest fixed points |
|
54 |
@{cite "McMillan-PhDThesis"}. |
|
61343 | 55 |
\<close> |
15871 | 56 |
|
63055 | 57 |
definition EX ("\<^bold>E\<^bold>X _" [80] 90) |
58 |
where [simp]: "\<^bold>E\<^bold>X p = {s. \<exists>s'. (s, s') \<in> \<M> \<and> s' \<in> p}" |
|
59 |
||
60 |
definition EF ("\<^bold>E\<^bold>F _" [80] 90) |
|
61 |
where [simp]: "\<^bold>E\<^bold>F p = lfp (\<lambda>s. p \<union> \<^bold>E\<^bold>X s)" |
|
62 |
||
63 |
definition EG ("\<^bold>E\<^bold>G _" [80] 90) |
|
64 |
where [simp]: "\<^bold>E\<^bold>G p = gfp (\<lambda>s. p \<inter> \<^bold>E\<^bold>X s)" |
|
15871 | 65 |
|
61343 | 66 |
text \<open> |
63055 | 67 |
\<open>\<^bold>A\<^bold>X\<close>, \<open>\<^bold>A\<^bold>F\<close> and \<open>\<^bold>A\<^bold>G\<close> are now defined dually in terms of \<open>\<^bold>E\<^bold>X\<close>, |
68 |
\<open>\<^bold>E\<^bold>F\<close> and \<open>\<^bold>E\<^bold>G\<close>. |
|
61343 | 69 |
\<close> |
15871 | 70 |
|
63055 | 71 |
definition AX ("\<^bold>A\<^bold>X _" [80] 90) |
72 |
where [simp]: "\<^bold>A\<^bold>X p = - \<^bold>E\<^bold>X - p" |
|
73 |
definition AF ("\<^bold>A\<^bold>F _" [80] 90) |
|
74 |
where [simp]: "\<^bold>A\<^bold>F p = - \<^bold>E\<^bold>G - p" |
|
75 |
definition AG ("\<^bold>A\<^bold>G _" [80] 90) |
|
76 |
where [simp]: "\<^bold>A\<^bold>G p = - \<^bold>E\<^bold>F - p" |
|
15871 | 77 |
|
78 |
||
61343 | 79 |
subsection \<open>Basic fixed point properties\<close> |
15871 | 80 |
|
61343 | 81 |
text \<open> |
61934 | 82 |
First of all, we use the de-Morgan property of fixed points. |
61343 | 83 |
\<close> |
15871 | 84 |
|
21026 | 85 |
lemma lfp_gfp: "lfp f = - gfp (\<lambda>s::'a set. - (f (- s)))" |
15871 | 86 |
proof |
87 |
show "lfp f \<subseteq> - gfp (\<lambda>s. - f (- s))" |
|
88 |
proof |
|
63054 | 89 |
show "x \<in> - gfp (\<lambda>s. - f (- s))" if l: "x \<in> lfp f" for x |
15871 | 90 |
proof |
91 |
assume "x \<in> gfp (\<lambda>s. - f (- s))" |
|
21026 | 92 |
then obtain u where "x \<in> u" and "u \<subseteq> - f (- u)" |
32587
caa5ada96a00
Inter and Union are mere abbreviations for Inf and Sup
haftmann
parents:
26813
diff
changeset
|
93 |
by (auto simp add: gfp_def) |
15871 | 94 |
then have "f (- u) \<subseteq> - u" by auto |
95 |
then have "lfp f \<subseteq> - u" by (rule lfp_lowerbound) |
|
96 |
from l and this have "x \<notin> u" by auto |
|
61343 | 97 |
with \<open>x \<in> u\<close> show False by contradiction |
15871 | 98 |
qed |
99 |
qed |
|
100 |
show "- gfp (\<lambda>s. - f (- s)) \<subseteq> lfp f" |
|
101 |
proof (rule lfp_greatest) |
|
63054 | 102 |
fix u |
103 |
assume "f u \<subseteq> u" |
|
15871 | 104 |
then have "- u \<subseteq> - f u" by auto |
105 |
then have "- u \<subseteq> - f (- (- u))" by simp |
|
106 |
then have "- u \<subseteq> gfp (\<lambda>s. - f (- s))" by (rule gfp_upperbound) |
|
107 |
then show "- gfp (\<lambda>s. - f (- s)) \<subseteq> u" by auto |
|
108 |
qed |
|
109 |
qed |
|
110 |
||
21026 | 111 |
lemma lfp_gfp': "- lfp f = gfp (\<lambda>s::'a set. - (f (- s)))" |
15871 | 112 |
by (simp add: lfp_gfp) |
113 |
||
21026 | 114 |
lemma gfp_lfp': "- gfp f = lfp (\<lambda>s::'a set. - (f (- s)))" |
15871 | 115 |
by (simp add: lfp_gfp) |
116 |
||
61343 | 117 |
text \<open> |
69597 | 118 |
In order to give dual fixed point representations of \<^term>\<open>\<^bold>A\<^bold>F p\<close> and |
119 |
\<^term>\<open>\<^bold>A\<^bold>G p\<close>: |
|
61343 | 120 |
\<close> |
15871 | 121 |
|
63055 | 122 |
lemma AF_lfp: "\<^bold>A\<^bold>F p = lfp (\<lambda>s. p \<union> \<^bold>A\<^bold>X s)" |
61934 | 123 |
by (simp add: lfp_gfp) |
15871 | 124 |
|
63055 | 125 |
lemma AG_gfp: "\<^bold>A\<^bold>G p = gfp (\<lambda>s. p \<inter> \<^bold>A\<^bold>X s)" |
126 |
by (simp add: lfp_gfp) |
|
127 |
||
128 |
lemma EF_fp: "\<^bold>E\<^bold>F p = p \<union> \<^bold>E\<^bold>X \<^bold>E\<^bold>F p" |
|
15871 | 129 |
proof - |
63055 | 130 |
have "mono (\<lambda>s. p \<union> \<^bold>E\<^bold>X s)" by rule auto |
15871 | 131 |
then show ?thesis by (simp only: EF_def) (rule lfp_unfold) |
132 |
qed |
|
133 |
||
63055 | 134 |
lemma AF_fp: "\<^bold>A\<^bold>F p = p \<union> \<^bold>A\<^bold>X \<^bold>A\<^bold>F p" |
15871 | 135 |
proof - |
63055 | 136 |
have "mono (\<lambda>s. p \<union> \<^bold>A\<^bold>X s)" by rule auto |
15871 | 137 |
then show ?thesis by (simp only: AF_lfp) (rule lfp_unfold) |
138 |
qed |
|
139 |
||
63055 | 140 |
lemma EG_fp: "\<^bold>E\<^bold>G p = p \<inter> \<^bold>E\<^bold>X \<^bold>E\<^bold>G p" |
15871 | 141 |
proof - |
63055 | 142 |
have "mono (\<lambda>s. p \<inter> \<^bold>E\<^bold>X s)" by rule auto |
15871 | 143 |
then show ?thesis by (simp only: EG_def) (rule gfp_unfold) |
144 |
qed |
|
145 |
||
61343 | 146 |
text \<open> |
69597 | 147 |
From the greatest fixed point definition of \<^term>\<open>\<^bold>A\<^bold>G p\<close>, we derive as |
148 |
a consequence of the Knaster-Tarski theorem on the one hand that \<^term>\<open>\<^bold>A\<^bold>G p\<close> is a fixed point of the monotonic function |
|
149 |
\<^term>\<open>\<lambda>s. p \<inter> \<^bold>A\<^bold>X s\<close>. |
|
61343 | 150 |
\<close> |
15871 | 151 |
|
63055 | 152 |
lemma AG_fp: "\<^bold>A\<^bold>G p = p \<inter> \<^bold>A\<^bold>X \<^bold>A\<^bold>G p" |
15871 | 153 |
proof - |
63055 | 154 |
have "mono (\<lambda>s. p \<inter> \<^bold>A\<^bold>X s)" by rule auto |
15871 | 155 |
then show ?thesis by (simp only: AG_gfp) (rule gfp_unfold) |
156 |
qed |
|
157 |
||
61343 | 158 |
text \<open> |
61934 | 159 |
This fact may be split up into two inequalities (merely using transitivity |
160 |
of \<open>\<subseteq>\<close>, which is an instance of the overloaded \<open>\<le>\<close> in Isabelle/HOL). |
|
61343 | 161 |
\<close> |
15871 | 162 |
|
63055 | 163 |
lemma AG_fp_1: "\<^bold>A\<^bold>G p \<subseteq> p" |
15871 | 164 |
proof - |
63055 | 165 |
note AG_fp also have "p \<inter> \<^bold>A\<^bold>X \<^bold>A\<^bold>G p \<subseteq> p" by auto |
15871 | 166 |
finally show ?thesis . |
167 |
qed |
|
168 |
||
63055 | 169 |
lemma AG_fp_2: "\<^bold>A\<^bold>G p \<subseteq> \<^bold>A\<^bold>X \<^bold>A\<^bold>G p" |
15871 | 170 |
proof - |
63055 | 171 |
note AG_fp also have "p \<inter> \<^bold>A\<^bold>X \<^bold>A\<^bold>G p \<subseteq> \<^bold>A\<^bold>X \<^bold>A\<^bold>G p" by auto |
15871 | 172 |
finally show ?thesis . |
173 |
qed |
|
174 |
||
61343 | 175 |
text \<open> |
61934 | 176 |
On the other hand, we have from the Knaster-Tarski fixed point theorem that |
69597 | 177 |
any other post-fixed point of \<^term>\<open>\<lambda>s. p \<inter> \<^bold>A\<^bold>X s\<close> is smaller than |
178 |
\<^term>\<open>\<^bold>A\<^bold>G p\<close>. A post-fixed point is a set of states \<open>q\<close> such that \<^term>\<open>q \<subseteq> p \<inter> \<^bold>A\<^bold>X q\<close>. This leads to the following co-induction principle for |
|
179 |
\<^term>\<open>\<^bold>A\<^bold>G p\<close>. |
|
61343 | 180 |
\<close> |
15871 | 181 |
|
63055 | 182 |
lemma AG_I: "q \<subseteq> p \<inter> \<^bold>A\<^bold>X q \<Longrightarrow> q \<subseteq> \<^bold>A\<^bold>G p" |
15871 | 183 |
by (simp only: AG_gfp) (rule gfp_upperbound) |
184 |
||
185 |
||
61343 | 186 |
subsection \<open>The tree induction principle \label{sec:calc-ctl-tree-induct}\<close> |
15871 | 187 |
|
61343 | 188 |
text \<open> |
61934 | 189 |
With the most basic facts available, we are now able to establish a few more |
63055 | 190 |
interesting results, leading to the \<^emph>\<open>tree induction\<close> principle for \<open>\<^bold>A\<^bold>G\<close> |
61934 | 191 |
(see below). We will use some elementary monotonicity and distributivity |
192 |
rules. |
|
61343 | 193 |
\<close> |
15871 | 194 |
|
63055 | 195 |
lemma AX_int: "\<^bold>A\<^bold>X (p \<inter> q) = \<^bold>A\<^bold>X p \<inter> \<^bold>A\<^bold>X q" by auto |
196 |
lemma AX_mono: "p \<subseteq> q \<Longrightarrow> \<^bold>A\<^bold>X p \<subseteq> \<^bold>A\<^bold>X q" by auto |
|
197 |
lemma AG_mono: "p \<subseteq> q \<Longrightarrow> \<^bold>A\<^bold>G p \<subseteq> \<^bold>A\<^bold>G q" |
|
198 |
by (simp only: AG_gfp, rule gfp_mono) auto |
|
15871 | 199 |
|
61343 | 200 |
text \<open> |
69597 | 201 |
The formula \<^term>\<open>AG p\<close> implies \<^term>\<open>AX p\<close> (we use substitution of |
61934 | 202 |
\<open>\<subseteq>\<close> with monotonicity). |
61343 | 203 |
\<close> |
15871 | 204 |
|
63055 | 205 |
lemma AG_AX: "\<^bold>A\<^bold>G p \<subseteq> \<^bold>A\<^bold>X p" |
15871 | 206 |
proof - |
63055 | 207 |
have "\<^bold>A\<^bold>G p \<subseteq> \<^bold>A\<^bold>X \<^bold>A\<^bold>G p" by (rule AG_fp_2) |
208 |
also have "\<^bold>A\<^bold>G p \<subseteq> p" by (rule AG_fp_1) |
|
61934 | 209 |
moreover note AX_mono |
15871 | 210 |
finally show ?thesis . |
211 |
qed |
|
212 |
||
61343 | 213 |
text \<open> |
63055 | 214 |
Furthermore we show idempotency of the \<open>\<^bold>A\<^bold>G\<close> operator. The proof is a good |
61934 | 215 |
example of how accumulated facts may get used to feed a single rule step. |
61343 | 216 |
\<close> |
15871 | 217 |
|
63055 | 218 |
lemma AG_AG: "\<^bold>A\<^bold>G \<^bold>A\<^bold>G p = \<^bold>A\<^bold>G p" |
15871 | 219 |
proof |
63055 | 220 |
show "\<^bold>A\<^bold>G \<^bold>A\<^bold>G p \<subseteq> \<^bold>A\<^bold>G p" by (rule AG_fp_1) |
15871 | 221 |
next |
63055 | 222 |
show "\<^bold>A\<^bold>G p \<subseteq> \<^bold>A\<^bold>G \<^bold>A\<^bold>G p" |
15871 | 223 |
proof (rule AG_I) |
63055 | 224 |
have "\<^bold>A\<^bold>G p \<subseteq> \<^bold>A\<^bold>G p" .. |
225 |
moreover have "\<^bold>A\<^bold>G p \<subseteq> \<^bold>A\<^bold>X \<^bold>A\<^bold>G p" by (rule AG_fp_2) |
|
226 |
ultimately show "\<^bold>A\<^bold>G p \<subseteq> \<^bold>A\<^bold>G p \<inter> \<^bold>A\<^bold>X \<^bold>A\<^bold>G p" .. |
|
15871 | 227 |
qed |
228 |
qed |
|
229 |
||
61343 | 230 |
text \<open> |
61934 | 231 |
\<^smallskip> |
63055 | 232 |
We now give an alternative characterization of the \<open>\<^bold>A\<^bold>G\<close> operator, which |
233 |
describes the \<open>\<^bold>A\<^bold>G\<close> operator in an ``operational'' way by tree induction: |
|
69597 | 234 |
In a state holds \<^term>\<open>AG p\<close> iff in that state holds \<open>p\<close>, and in all |
63055 | 235 |
reachable states \<open>s\<close> follows from the fact that \<open>p\<close> holds in \<open>s\<close>, that \<open>p\<close> |
236 |
also holds in all successor states of \<open>s\<close>. We use the co-induction principle |
|
237 |
@{thm [source] AG_I} to establish this in a purely algebraic manner. |
|
61343 | 238 |
\<close> |
15871 | 239 |
|
63055 | 240 |
theorem AG_induct: "p \<inter> \<^bold>A\<^bold>G (p \<rightarrow> \<^bold>A\<^bold>X p) = \<^bold>A\<^bold>G p" |
15871 | 241 |
proof |
63055 | 242 |
show "p \<inter> \<^bold>A\<^bold>G (p \<rightarrow> \<^bold>A\<^bold>X p) \<subseteq> \<^bold>A\<^bold>G p" (is "?lhs \<subseteq> _") |
15871 | 243 |
proof (rule AG_I) |
63055 | 244 |
show "?lhs \<subseteq> p \<inter> \<^bold>A\<^bold>X ?lhs" |
15871 | 245 |
proof |
246 |
show "?lhs \<subseteq> p" .. |
|
63055 | 247 |
show "?lhs \<subseteq> \<^bold>A\<^bold>X ?lhs" |
15871 | 248 |
proof - |
32960
69916a850301
eliminated hard tabulators, guessing at each author's individual tab-width;
wenzelm
parents:
32587
diff
changeset
|
249 |
{ |
63055 | 250 |
have "\<^bold>A\<^bold>G (p \<rightarrow> \<^bold>A\<^bold>X p) \<subseteq> p \<rightarrow> \<^bold>A\<^bold>X p" by (rule AG_fp_1) |
251 |
also have "p \<inter> p \<rightarrow> \<^bold>A\<^bold>X p \<subseteq> \<^bold>A\<^bold>X p" .. |
|
252 |
finally have "?lhs \<subseteq> \<^bold>A\<^bold>X p" by auto |
|
253 |
} |
|
32960
69916a850301
eliminated hard tabulators, guessing at each author's individual tab-width;
wenzelm
parents:
32587
diff
changeset
|
254 |
moreover |
69916a850301
eliminated hard tabulators, guessing at each author's individual tab-width;
wenzelm
parents:
32587
diff
changeset
|
255 |
{ |
63055 | 256 |
have "p \<inter> \<^bold>A\<^bold>G (p \<rightarrow> \<^bold>A\<^bold>X p) \<subseteq> \<^bold>A\<^bold>G (p \<rightarrow> \<^bold>A\<^bold>X p)" .. |
257 |
also have "\<dots> \<subseteq> \<^bold>A\<^bold>X \<dots>" by (rule AG_fp_2) |
|
258 |
finally have "?lhs \<subseteq> \<^bold>A\<^bold>X \<^bold>A\<^bold>G (p \<rightarrow> \<^bold>A\<^bold>X p)" . |
|
259 |
} |
|
260 |
ultimately have "?lhs \<subseteq> \<^bold>A\<^bold>X p \<inter> \<^bold>A\<^bold>X \<^bold>A\<^bold>G (p \<rightarrow> \<^bold>A\<^bold>X p)" .. |
|
261 |
also have "\<dots> = \<^bold>A\<^bold>X ?lhs" by (simp only: AX_int) |
|
32960
69916a850301
eliminated hard tabulators, guessing at each author's individual tab-width;
wenzelm
parents:
32587
diff
changeset
|
262 |
finally show ?thesis . |
15871 | 263 |
qed |
264 |
qed |
|
265 |
qed |
|
266 |
next |
|
63055 | 267 |
show "\<^bold>A\<^bold>G p \<subseteq> p \<inter> \<^bold>A\<^bold>G (p \<rightarrow> \<^bold>A\<^bold>X p)" |
15871 | 268 |
proof |
63055 | 269 |
show "\<^bold>A\<^bold>G p \<subseteq> p" by (rule AG_fp_1) |
270 |
show "\<^bold>A\<^bold>G p \<subseteq> \<^bold>A\<^bold>G (p \<rightarrow> \<^bold>A\<^bold>X p)" |
|
15871 | 271 |
proof - |
63055 | 272 |
have "\<^bold>A\<^bold>G p = \<^bold>A\<^bold>G \<^bold>A\<^bold>G p" by (simp only: AG_AG) |
273 |
also have "\<^bold>A\<^bold>G p \<subseteq> \<^bold>A\<^bold>X p" by (rule AG_AX) moreover note AG_mono |
|
274 |
also have "\<^bold>A\<^bold>X p \<subseteq> (p \<rightarrow> \<^bold>A\<^bold>X p)" .. moreover note AG_mono |
|
15871 | 275 |
finally show ?thesis . |
276 |
qed |
|
277 |
qed |
|
278 |
qed |
|
279 |
||
280 |
||
61343 | 281 |
subsection \<open>An application of tree induction \label{sec:calc-ctl-commute}\<close> |
15871 | 282 |
|
61343 | 283 |
text \<open> |
61934 | 284 |
Further interesting properties of CTL expressions may be demonstrated with |
63055 | 285 |
the help of tree induction; here we show that \<open>\<^bold>A\<^bold>X\<close> and \<open>\<^bold>A\<^bold>G\<close> commute. |
61343 | 286 |
\<close> |
15871 | 287 |
|
63055 | 288 |
theorem AG_AX_commute: "\<^bold>A\<^bold>G \<^bold>A\<^bold>X p = \<^bold>A\<^bold>X \<^bold>A\<^bold>G p" |
15871 | 289 |
proof - |
63055 | 290 |
have "\<^bold>A\<^bold>G \<^bold>A\<^bold>X p = \<^bold>A\<^bold>X p \<inter> \<^bold>A\<^bold>X \<^bold>A\<^bold>G \<^bold>A\<^bold>X p" by (rule AG_fp) |
291 |
also have "\<dots> = \<^bold>A\<^bold>X (p \<inter> \<^bold>A\<^bold>G \<^bold>A\<^bold>X p)" by (simp only: AX_int) |
|
292 |
also have "p \<inter> \<^bold>A\<^bold>G \<^bold>A\<^bold>X p = \<^bold>A\<^bold>G p" (is "?lhs = _") |
|
293 |
proof |
|
294 |
have "\<^bold>A\<^bold>X p \<subseteq> p \<rightarrow> \<^bold>A\<^bold>X p" .. |
|
295 |
also have "p \<inter> \<^bold>A\<^bold>G (p \<rightarrow> \<^bold>A\<^bold>X p) = \<^bold>A\<^bold>G p" by (rule AG_induct) |
|
15871 | 296 |
also note Int_mono AG_mono |
63055 | 297 |
ultimately show "?lhs \<subseteq> \<^bold>A\<^bold>G p" by fast |
298 |
next |
|
299 |
have "\<^bold>A\<^bold>G p \<subseteq> p" by (rule AG_fp_1) |
|
300 |
moreover |
|
15871 | 301 |
{ |
63055 | 302 |
have "\<^bold>A\<^bold>G p = \<^bold>A\<^bold>G \<^bold>A\<^bold>G p" by (simp only: AG_AG) |
303 |
also have "\<^bold>A\<^bold>G p \<subseteq> \<^bold>A\<^bold>X p" by (rule AG_AX) |
|
15871 | 304 |
also note AG_mono |
63055 | 305 |
ultimately have "\<^bold>A\<^bold>G p \<subseteq> \<^bold>A\<^bold>G \<^bold>A\<^bold>X p" . |
306 |
} |
|
307 |
ultimately show "\<^bold>A\<^bold>G p \<subseteq> ?lhs" .. |
|
308 |
qed |
|
15871 | 309 |
finally show ?thesis . |
310 |
qed |
|
311 |
||
312 |
end |