isabelle: src/Doc/Tutorial/CTL/PDL.thy@a13aa1cac0e8 (annotated)

17914 99ead7a7eb42 fix headers; wenzelm parents: 12815 diff changeset	1	(<)theory PDL imports Base begin(>)
9958 67f2920862c7 * empty log message * nipkow parents: diff changeset	2
10971 6852682eaf16 * empty log message * nipkow parents: 10895 diff changeset	3	subsection{Propositional Dynamic Logic --- PDL}
9958 67f2920862c7 * empty log message * nipkow parents: diff changeset	4
10178 aecb5bf6f76f * empty log message * nipkow parents: 10171 diff changeset	5	text{*\index{PDL\|(}
11458 09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	6	The formulae of PDL are built up from atomic propositions via
09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	7	negation and conjunction and the two temporal
09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	8	connectives @{text AX} and @{text EF}\@. Since formulae are essentially
09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	9	syntax trees, they are naturally modelled as a datatype:%
09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	10	\footnote{The customary definition of PDL
11207 08188224c24e * empty log message * nipkow parents: 10983 diff changeset	11	\cite{HarelKT-DL} looks quite different from ours, but the two are easily
11458 09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	12	shown to be equivalent.}
10133 e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	13	*}
9958 67f2920862c7 * empty log message * nipkow parents: diff changeset	14
18724 cb6e0064c88c quote "atom"; wenzelm parents: 17914 diff changeset	15	datatype formula = Atom "atom"
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	16	\| Neg formula
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	17	\| And formula formula
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	18	\| AX formula
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	19	\| EF formula
10133 e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	20
e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	21	text{*\noindent
11458 09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	22	This resembles the boolean expression case study in
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10839 diff changeset	23	\S\ref{sec:boolex}.
27015 f8537d69f514 * empty log message * nipkow parents: 21202 diff changeset	24	A validity relation between states and formulae specifies the semantics.
f8537d69f514 * empty log message * nipkow parents: 21202 diff changeset	25	The syntax annotation allows us to write @{text"s \<Turnstile> f"} instead of
f8537d69f514 * empty log message * nipkow parents: 21202 diff changeset	26	\hbox{@{text"valid s f"}}. The definition is by recursion over the syntax:
10133 e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	27	*}
e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	28
27015 f8537d69f514 * empty log message * nipkow parents: 21202 diff changeset	29	primrec valid :: "state \<Rightarrow> formula \<Rightarrow> bool" ("(_ \<Turnstile> _)" [80,80] 80)
f8537d69f514 * empty log message * nipkow parents: 21202 diff changeset	30	where
f8537d69f514 * empty log message * nipkow parents: 21202 diff changeset	31	"s \<Turnstile> Atom a = (a \<in> L s)" \|
f8537d69f514 * empty log message * nipkow parents: 21202 diff changeset	32	"s \<Turnstile> Neg f = (\<not>(s \<Turnstile> f))" \|
f8537d69f514 * empty log message * nipkow parents: 21202 diff changeset	33	"s \<Turnstile> And f g = (s \<Turnstile> f \<and> s \<Turnstile> g)" \|
f8537d69f514 * empty log message * nipkow parents: 21202 diff changeset	34	"s \<Turnstile> AX f = (\<forall>t. (s,t) \<in> M \<longrightarrow> t \<Turnstile> f)" \|
12631 7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	35	"s \<Turnstile> EF f = (\<exists>t. (s,t) \<in> M\<^sup>* \<and> t \<Turnstile> f)"
9958 67f2920862c7 * empty log message * nipkow parents: diff changeset	36
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	37	text{*\noindent
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	38	The first three equations should be self-explanatory. The temporal formula
10983 59961d32b1ae * empty log message * nipkow parents: 10971 diff changeset	39	@{term"AX f"} means that @{term f} is true in \emph{A}ll ne\emph{X}t states whereas
59961d32b1ae * empty log message * nipkow parents: 10971 diff changeset	40	@{term"EF f"} means that there \emph{E}xists some \emph{F}uture state in which @{term f} is
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10839 diff changeset	41	true. The future is expressed via @{text"\<^sup>*"}, the reflexive transitive
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	42	closure. Because of reflexivity, the future includes the present.
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	43
27015 f8537d69f514 * empty log message * nipkow parents: 21202 diff changeset	44	Now we come to the model checker itself. It maps a formula into the
f8537d69f514 * empty log message * nipkow parents: 21202 diff changeset	45	set of states where the formula is true. It too is defined by
f8537d69f514 * empty log message * nipkow parents: 21202 diff changeset	46	recursion over the syntax: *}
10133 e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	47
27015 f8537d69f514 * empty log message * nipkow parents: 21202 diff changeset	48	primrec mc :: "formula \<Rightarrow> state set" where
f8537d69f514 * empty log message * nipkow parents: 21202 diff changeset	49	"mc(Atom a) = {s. a \<in> L s}" \|
f8537d69f514 * empty log message * nipkow parents: 21202 diff changeset	50	"mc(Neg f) = -mc f" \|
f8537d69f514 * empty log message * nipkow parents: 21202 diff changeset	51	"mc(And f g) = mc f \<inter> mc g" \|
f8537d69f514 * empty log message * nipkow parents: 21202 diff changeset	52	"mc(AX f) = {s. \<forall>t. (s,t) \<in> M \<longrightarrow> t \<in> mc f}" \|
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10839 diff changeset	53	"mc(EF f) = lfp(\<lambda>T. mc f \<union> (M\<inverse> `` T))"
10133 e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	54
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	55	text{*\noindent
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	56	Only the equation for @{term EF} deserves some comments. Remember that the
10839 1f93f5a27de6 * empty log message * nipkow parents: 10801 diff changeset	57	postfix @{text"\<inverse>"} and the infix @{text"``"} are predefined and denote the
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10839 diff changeset	58	converse of a relation and the image of a set under a relation. Thus
10839 1f93f5a27de6 * empty log message * nipkow parents: 10801 diff changeset	59	@{term "M\<inverse> `` T"} is the set of all predecessors of @{term T} and the least
1f93f5a27de6 * empty log message * nipkow parents: 10801 diff changeset	60	fixed point (@{term lfp}) of @{term"\<lambda>T. mc f \<union> M\<inverse> `` T"} is the least set
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	61	@{term T} containing @{term"mc f"} and all predecessors of @{term T}. If you
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	62	find it hard to see that @{term"mc(EF f)"} contains exactly those states from
10983 59961d32b1ae * empty log message * nipkow parents: 10971 diff changeset	63	which there is a path to a state where @{term f} is true, do not worry --- this
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	64	will be proved in a moment.
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	65
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	66	First we prove monotonicity of the function inside @{term lfp}
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10839 diff changeset	67	in order to make sure it really has a least fixed point.
10133 e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	68	*}
e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	69
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10839 diff changeset	70	lemma mono_ef: "mono(\<lambda>T. A \<union> (M\<inverse> `` T))"
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	71	apply(rule monoI)
10159 a72ddfdbfca0 * empty log message * nipkow parents: 10149 diff changeset	72	apply blast
a72ddfdbfca0 * empty log message * nipkow parents: 10149 diff changeset	73	done
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	74
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	75	text{*\noindent
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	76	Now we can relate model checking and semantics. For the @{text EF} case we need
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	77	a separate lemma:
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	78	*}
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	79
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	80	lemma EF_lemma:
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10839 diff changeset	81	"lfp(\<lambda>T. A \<union> (M\<inverse> `` T)) = {s. \<exists>t. (s,t) \<in> M\<^sup>* \<and> t \<in> A}"
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	82
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	83	txt{*\noindent
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	84	The equality is proved in the canonical fashion by proving that each set
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10839 diff changeset	85	includes the other; the inclusion is shown pointwise:
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	86	*}
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	87
12631 7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	88	apply(rule equalityI)
7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	89	apply(rule subsetI)
10524 270b285d48ee * empty log message * nipkow parents: 10363 diff changeset	90	apply(simp)(<)apply(rename_tac s)(>)
10363 6e8002c1790e * empty log message * nipkow parents: 10242 diff changeset	91
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	92	txt{*\noindent
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	93	Simplification leaves us with the following first subgoal
10363 6e8002c1790e * empty log message * nipkow parents: 10242 diff changeset	94	@{subgoals[display,indent=0,goals_limit=1]}
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	95	which is proved by @{term lfp}-induction:
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	96	*}
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	97
21202 6649bf75b9dc Adapted to changes in FixedPoint theory. berghofe parents: 18724 diff changeset	98	apply(erule lfp_induct_set)
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	99	apply(rule mono_ef)
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	100	apply(simp)
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	101	(pr(latex xsymbols symbols);)
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	102	txt{*\noindent
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	103	Having disposed of the monotonicity subgoal,
11458 09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	104	simplification leaves us with the following goal:
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	105	\begin{isabelle}
10801 c00ac928fc6f * empty log message * nipkow parents: 10800 diff changeset	106	\ {\isadigit{1}}{\isachardot}\ {\isasymAnd}x{\isachardot}\ x\ {\isasymin}\ A\ {\isasymor}\isanewline
10895 79194f07d356 * empty log message * nipkow parents: 10867 diff changeset	107	\ \ \ \ \ \ \ \ \ x\ {\isasymin}\ M{\isasyminverse}\ {\isacharbackquote}{\isacharbackquote}\ {\isacharparenleft}lfp\ {\isacharparenleft}\dots{\isacharparenright}\ {\isasyminter}\ {\isacharbraceleft}x{\isachardot}\ {\isasymexists}t{\isachardot}\ {\isacharparenleft}x{\isacharcomma}\ t{\isacharparenright}\ {\isasymin}\ M\isactrlsup {\isacharasterisk}\ {\isasymand}\ t\ {\isasymin}\ A{\isacharbraceright}{\isacharparenright}\isanewline
10801 c00ac928fc6f * empty log message * nipkow parents: 10800 diff changeset	108	\ \ \ \ \ \ \ \ {\isasymLongrightarrow}\ {\isasymexists}t{\isachardot}\ {\isacharparenleft}x{\isacharcomma}\ t{\isacharparenright}\ {\isasymin}\ M\isactrlsup {\isacharasterisk}\ {\isasymand}\ t\ {\isasymin}\ A
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	109	\end{isabelle}
11458 09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	110	It is proved by @{text blast}, using the transitivity of
09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	111	\isa{M\isactrlsup {\isacharasterisk}}.
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	112	*}
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	113
12631 7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	114	apply(blast intro: rtrancl_trans)
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	115
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	116	txt{*
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10839 diff changeset	117	We now return to the second set inclusion subgoal, which is again proved
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	118	pointwise:
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	119	*}
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	120
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	121	apply(rule subsetI)
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	122	apply(simp, clarify)
10363 6e8002c1790e * empty log message * nipkow parents: 10242 diff changeset	123
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	124	txt{*\noindent
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	125	After simplification and clarification we are left with
10363 6e8002c1790e * empty log message * nipkow parents: 10242 diff changeset	126	@{subgoals[display,indent=0,goals_limit=1]}
10801 c00ac928fc6f * empty log message * nipkow parents: 10800 diff changeset	127	This goal is proved by induction on @{term"(s,t)\<in>M\<^sup>*"}. But since the model
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	128	checker works backwards (from @{term t} to @{term s}), we cannot use the
11458 09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	129	induction theorem @{thm[source]rtrancl_induct}: it works in the
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	130	forward direction. Fortunately the converse induction theorem
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	131	@{thm[source]converse_rtrancl_induct} already exists:
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	132	@{thm[display,margin=60]converse_rtrancl_induct[no_vars]}
10801 c00ac928fc6f * empty log message * nipkow parents: 10800 diff changeset	133	It says that if @{prop"(a,b):r\<^sup>*"} and we know @{prop"P b"} then we can infer
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	134	@{prop"P a"} provided each step backwards from a predecessor @{term z} of
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	135	@{term b} preserves @{term P}.
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	136	*}
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	137
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	138	apply(erule converse_rtrancl_induct)
10363 6e8002c1790e * empty log message * nipkow parents: 10242 diff changeset	139
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	140	txt{*\noindent
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	141	The base case
10363 6e8002c1790e * empty log message * nipkow parents: 10242 diff changeset	142	@{subgoals[display,indent=0,goals_limit=1]}
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	143	is solved by unrolling @{term lfp} once
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	144	*}
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	145
11231 30d96882f915 * empty log message * nipkow parents: 11207 diff changeset	146	apply(subst lfp_unfold[OF mono_ef])
10363 6e8002c1790e * empty log message * nipkow parents: 10242 diff changeset	147
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	148	txt{*
10363 6e8002c1790e * empty log message * nipkow parents: 10242 diff changeset	149	@{subgoals[display,indent=0,goals_limit=1]}
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	150	and disposing of the resulting trivial subgoal automatically:
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	151	*}
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	152
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	153	apply(blast)
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	154
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	155	txt{*\noindent
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	156	The proof of the induction step is identical to the one for the base case:
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	157	*}
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	158
11231 30d96882f915 * empty log message * nipkow parents: 11207 diff changeset	159	apply(subst lfp_unfold[OF mono_ef])
10159 a72ddfdbfca0 * empty log message * nipkow parents: 10149 diff changeset	160	apply(blast)
a72ddfdbfca0 * empty log message * nipkow parents: 10149 diff changeset	161	done
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	162
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	163	text{*
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	164	The main theorem is proved in the familiar manner: induction followed by
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	165	@{text auto} augmented with the lemma as a simplification rule.
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	166	*}
9958 67f2920862c7 * empty log message * nipkow parents: diff changeset	167
12631 7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	168	theorem "mc f = {s. s \<Turnstile> f}"
7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	169	apply(induct_tac f)
12815 1f073030b97a tuned; wenzelm parents: 12631 diff changeset	170	apply(auto simp add: EF_lemma)
12631 7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	171	done
10171 59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	172
59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	173	text{*
59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	174	\begin{exercise}
11458 09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	175	@{term AX} has a dual operator @{term EN}
09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	176	(``there exists a next state such that'')%
09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	177	\footnote{We cannot use the customary @{text EX}: it is reserved
09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	178	as the \textsc{ascii}-equivalent of @{text"\<exists>"}.}
09a6c44a48ea numerous stylistic changes and indexing paulson parents: 11231 diff changeset	179	with the intended semantics
10171 59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	180	@{prop[display]"(s \<Turnstile> EN f) = (EX t. (s,t) : M & t \<Turnstile> f)"}
59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	181	Fortunately, @{term"EN f"} can already be expressed as a PDL formula. How?
59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	182
59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	183	Show that the semantics for @{term EF} satisfies the following recursion equation:
59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	184	@{prop[display]"(s \<Turnstile> EF f) = (s \<Turnstile> f \| s \<Turnstile> EN(EF f))"}
59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	185	\end{exercise}
10178 aecb5bf6f76f * empty log message * nipkow parents: 10171 diff changeset	186	\index{PDL\|)}
10171 59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	187	*}
59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	188	(<)
12631 7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	189	theorem main: "mc f = {s. s \<Turnstile> f}"
7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	190	apply(induct_tac f)
7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	191	apply(auto simp add: EF_lemma)
7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	192	done
10171 59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	193
12631 7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	194	lemma aux: "s \<Turnstile> f = (s : mc f)"
7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	195	apply(simp add: main)
7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	196	done
10171 59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	197
12631 7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	198	lemma "(s \<Turnstile> EF f) = (s \<Turnstile> f \| s \<Turnstile> Neg(AX(Neg(EF f))))"
7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	199	apply(simp only: aux)
7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	200	apply(simp)
7648ac4a6b95 tuned; wenzelm parents: 11458 diff changeset	201	apply(subst lfp_unfold[OF mono_ef], fast)
10171 59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	202	done
59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	203
59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	204	end
59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	205	(>)

author	blanchet
	Wed, 11 Dec 2013 22:23:42 +0800
changeset 54715	a13aa1cac0e8
parent 48985	5386df44a037
child 58620	7435b6a3f72e
permissions	-rw-r--r--