isabelle: doc-src/TutorialI/CTL/document/CTL.tex@cf1289d98902 (annotated)

10123 9469c039ff57 * empty log message * nipkow parents: diff changeset	1	%
9469c039ff57 * empty log message * nipkow parents: diff changeset	2	\begin{isabellebody}%
9469c039ff57 * empty log message * nipkow parents: diff changeset	3	\def\isabellecontext{CTL}%
17056 05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	4	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	5	\isadelimtheory
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	6	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	7	\endisadelimtheory
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	8	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	9	\isatagtheory
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	10	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	11	\endisatagtheory
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	12	{\isafoldtheory}%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	13	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	14	\isadelimtheory
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	15	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	16	\endisadelimtheory
10133 e187dacd248f * empty log message * nipkow parents: 10123 diff changeset	17	%
10971 6852682eaf16 * empty log message * nipkow parents: 10950 diff changeset	18	\isamarkupsubsection{Computation Tree Logic --- CTL%
10395 7ef380745743 updated; wenzelm parents: 10363 diff changeset	19	}
11866 fbd097aec213 updated; wenzelm parents: 11706 diff changeset	20	\isamarkuptrue%
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	21	%
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	22	\begin{isamarkuptext}%
10217 e61e7e1eacaf * empty log message * nipkow parents: 10212 diff changeset	23	\label{sec:CTL}
11494 23a118849801 revisions and indexing paulson parents: 11231 diff changeset	24	\index{CTL\|(}%
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10866 diff changeset	25	The semantics of PDL only needs reflexive transitive closure.
bda1701848cd lcp's suggestions for CTL paulson parents: 10866 diff changeset	26	Let us be adventurous and introduce a more expressive temporal operator.
bda1701848cd lcp's suggestions for CTL paulson parents: 10866 diff changeset	27	We extend the datatype
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	28	\isa{formula} by a new constructor%
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	29	\end{isamarkuptext}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	30	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	31	\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isacharbar}\ AF\ formula%
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	32	\begin{isamarkuptext}%
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	33	\noindent
10983 59961d32b1ae * empty log message * nipkow parents: 10971 diff changeset	34	which stands for ``\emph{A}lways in the \emph{F}uture'':
59961d32b1ae * empty log message * nipkow parents: 10971 diff changeset	35	on all infinite paths, at some point the formula holds.
59961d32b1ae * empty log message * nipkow parents: 10971 diff changeset	36	Formalizing the notion of an infinite path is easy
10159 a72ddfdbfca0 * empty log message * nipkow parents: 10149 diff changeset	37	in HOL: it is simply a function from \isa{nat} to \isa{state}.%
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	38	\end{isamarkuptext}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	39	\isamarkuptrue%
27015 f8537d69f514 * empty log message * nipkow parents: 21261 diff changeset	40	\isacommand{definition}\isamarkupfalse%
f8537d69f514 * empty log message * nipkow parents: 21261 diff changeset	41	\ Paths\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}state\ {\isasymRightarrow}\ {\isacharparenleft}nat\ {\isasymRightarrow}\ state{\isacharparenright}set{\isachardoublequoteclose}\ \isakeyword{where}\isanewline
f8537d69f514 * empty log message * nipkow parents: 21261 diff changeset	42	{\isachardoublequoteopen}Paths\ s\ {\isasymequiv}\ {\isacharbraceleft}p{\isachardot}\ s\ {\isacharequal}\ p\ {\isadigit{0}}\ {\isasymand}\ {\isacharparenleft}{\isasymforall}i{\isachardot}\ {\isacharparenleft}p\ i{\isacharcomma}\ p{\isacharparenleft}i{\isacharplus}{\isadigit{1}}{\isacharparenright}{\isacharparenright}\ {\isasymin}\ M{\isacharparenright}{\isacharbraceright}{\isachardoublequoteclose}%
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	43	\begin{isamarkuptext}%
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	44	\noindent
11494 23a118849801 revisions and indexing paulson parents: 11231 diff changeset	45	This definition allows a succinct statement of the semantics of \isa{AF}:
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10866 diff changeset	46	\footnote{Do not be misled: neither datatypes nor recursive functions can be
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	47	extended by new constructors or equations. This is just a trick of the
12815 1f073030b97a tuned; wenzelm parents: 12699 diff changeset	48	presentation (see \S\ref{sec:doc-prep-suppress}). In reality one has to define
1f073030b97a tuned; wenzelm parents: 12699 diff changeset	49	a new datatype and a new function.}%
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	50	\end{isamarkuptext}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	51	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	52	{\isachardoublequoteopen}s\ {\isasymTurnstile}\ AF\ f\ \ \ \ {\isacharequal}\ {\isacharparenleft}{\isasymforall}p\ {\isasymin}\ Paths\ s{\isachardot}\ {\isasymexists}i{\isachardot}\ p\ i\ {\isasymTurnstile}\ f{\isacharparenright}{\isachardoublequoteclose}%
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	53	\begin{isamarkuptext}%
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	54	\noindent
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	55	Model checking \isa{AF} involves a function which
10159 a72ddfdbfca0 * empty log message * nipkow parents: 10149 diff changeset	56	is just complicated enough to warrant a separate definition:%
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	57	\end{isamarkuptext}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	58	\isamarkuptrue%
27015 f8537d69f514 * empty log message * nipkow parents: 21261 diff changeset	59	\isacommand{definition}\isamarkupfalse%
f8537d69f514 * empty log message * nipkow parents: 21261 diff changeset	60	\ af\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}state\ set\ {\isasymRightarrow}\ state\ set\ {\isasymRightarrow}\ state\ set{\isachardoublequoteclose}\ \isakeyword{where}\isanewline
f8537d69f514 * empty log message * nipkow parents: 21261 diff changeset	61	{\isachardoublequoteopen}af\ A\ T\ {\isasymequiv}\ A\ {\isasymunion}\ {\isacharbraceleft}s{\isachardot}\ {\isasymforall}t{\isachardot}\ {\isacharparenleft}s{\isacharcomma}\ t{\isacharparenright}\ {\isasymin}\ M\ {\isasymlongrightarrow}\ t\ {\isasymin}\ T{\isacharbraceright}{\isachardoublequoteclose}%
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	62	\begin{isamarkuptext}%
7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	63	\noindent
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10866 diff changeset	64	Now we define \isa{mc\ {\isacharparenleft}AF\ f{\isacharparenright}} as the least set \isa{T} that includes
10159 a72ddfdbfca0 * empty log message * nipkow parents: 10149 diff changeset	65	\isa{mc\ f} and all states all of whose direct successors are in \isa{T}:%
a72ddfdbfca0 * empty log message * nipkow parents: 10149 diff changeset	66	\end{isamarkuptext}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	67	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	68	{\isachardoublequoteopen}mc{\isacharparenleft}AF\ f{\isacharparenright}\ \ \ \ {\isacharequal}\ lfp{\isacharparenleft}af{\isacharparenleft}mc\ f{\isacharparenright}{\isacharparenright}{\isachardoublequoteclose}%
10159 a72ddfdbfca0 * empty log message * nipkow parents: 10149 diff changeset	69	\begin{isamarkuptext}%
a72ddfdbfca0 * empty log message * nipkow parents: 10149 diff changeset	70	\noindent
a72ddfdbfca0 * empty log message * nipkow parents: 10149 diff changeset	71	Because \isa{af} is monotone in its second argument (and also its first, but
10983 59961d32b1ae * empty log message * nipkow parents: 10971 diff changeset	72	that is irrelevant), \isa{af\ A} has a least fixed point:%
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	73	\end{isamarkuptext}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	74	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	75	\isacommand{lemma}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	76	\ mono{\isacharunderscore}af{\isacharcolon}\ {\isachardoublequoteopen}mono{\isacharparenleft}af\ A{\isacharparenright}{\isachardoublequoteclose}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	77	%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	78	\isadelimproof
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	79	%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	80	\endisadelimproof
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	81	%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	82	\isatagproof
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	83	\isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	84	{\isacharparenleft}simp\ add{\isacharcolon}\ mono{\isacharunderscore}def\ af{\isacharunderscore}def{\isacharparenright}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	85	\isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	86	\ blast\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	87	\isacommand{done}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	88	%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	89	\endisatagproof
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	90	{\isafoldproof}%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	91	%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	92	\isadelimproof
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	93	%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	94	\endisadelimproof
17056 05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	95	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	96	\isadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	97	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	98	\endisadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	99	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	100	\isatagproof
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	101	%
17056 05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	102	\endisatagproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	103	{\isafoldproof}%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	104	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	105	\isadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	106	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	107	\endisadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	108	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	109	\isadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	110	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	111	\endisadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	112	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	113	\isatagproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	114	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	115	\endisatagproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	116	{\isafoldproof}%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	117	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	118	\isadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	119	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	120	\endisadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	121	%
10149 7cfdf6a330a0 * empty log message * nipkow parents: 10133 diff changeset	122	\begin{isamarkuptext}%
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10866 diff changeset	123	All we need to prove now is \isa{mc\ {\isacharparenleft}AF\ f{\isacharparenright}\ {\isacharequal}\ {\isacharbraceleft}s{\isachardot}\ s\ {\isasymTurnstile}\ AF\ f{\isacharbraceright}}, which states
bda1701848cd lcp's suggestions for CTL paulson parents: 10866 diff changeset	124	that \isa{mc} and \isa{{\isasymTurnstile}} agree for \isa{AF}\@.
bda1701848cd lcp's suggestions for CTL paulson parents: 10866 diff changeset	125	This time we prove the two inclusions separately, starting
10159 a72ddfdbfca0 * empty log message * nipkow parents: 10149 diff changeset	126	with the easy one:%
a72ddfdbfca0 * empty log message * nipkow parents: 10149 diff changeset	127	\end{isamarkuptext}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	128	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	129	\isacommand{theorem}\isamarkupfalse%
27015 f8537d69f514 * empty log message * nipkow parents: 21261 diff changeset	130	\ AF{\isacharunderscore}lemma{\isadigit{1}}{\isacharcolon}\ {\isachardoublequoteopen}lfp{\isacharparenleft}af\ A{\isacharparenright}\ {\isasymsubseteq}\ {\isacharbraceleft}s{\isachardot}\ {\isasymforall}p\ {\isasymin}\ Paths\ s{\isachardot}\ {\isasymexists}i{\isachardot}\ p\ i\ {\isasymin}\ A{\isacharbraceright}{\isachardoublequoteclose}%
17056 05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	131	\isadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	132	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	133	\endisadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	134	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	135	\isatagproof
16069 3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	136	%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	137	\begin{isamarkuptxt}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	138	\noindent
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	139	In contrast to the analogous proof for \isa{EF}, and just
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	140	for a change, we do not use fixed point induction. Park-induction,
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	141	named after David Park, is weaker but sufficient for this proof:
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	142	\begin{center}
21261 58223c67fd8b updated; wenzelm parents: 19654 diff changeset	143	\isa{f\ S\ {\isasymle}\ S\ {\isasymLongrightarrow}\ lfp\ f\ {\isasymle}\ S} \hfill (\isa{lfp{\isacharunderscore}lowerbound})
16069 3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	144	\end{center}
19654 2c02a8054616 updated; wenzelm parents: 19288 diff changeset	145	The instance of the premise \isa{f\ S\ {\isasymsubseteq}\ S} is proved pointwise,
16069 3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	146	a decision that \isa{auto} takes for us:%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	147	\end{isamarkuptxt}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	148	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	149	\isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	150	{\isacharparenleft}rule\ lfp{\isacharunderscore}lowerbound{\isacharparenright}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	151	\isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	152	{\isacharparenleft}auto\ simp\ add{\isacharcolon}\ af{\isacharunderscore}def\ Paths{\isacharunderscore}def{\isacharparenright}%
16069 3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	153	\begin{isamarkuptxt}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	154	\begin{isabelle}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	155	\ {\isadigit{1}}{\isachardot}\ {\isasymAnd}p{\isachardot}\ {\isasymlbrakk}{\isasymforall}t{\isachardot}\ {\isacharparenleft}p\ {\isadigit{0}}{\isacharcomma}\ t{\isacharparenright}\ {\isasymin}\ M\ {\isasymlongrightarrow}\isanewline
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	156	\isaindent{\ {\isadigit{1}}{\isachardot}\ {\isasymAnd}p{\isachardot}\ {\isasymlbrakk}{\isasymforall}t{\isachardot}\ }{\isacharparenleft}{\isasymforall}p{\isachardot}\ t\ {\isacharequal}\ p\ {\isadigit{0}}\ {\isasymand}\ {\isacharparenleft}{\isasymforall}i{\isachardot}\ {\isacharparenleft}p\ i{\isacharcomma}\ p\ {\isacharparenleft}Suc\ i{\isacharparenright}{\isacharparenright}\ {\isasymin}\ M{\isacharparenright}\ {\isasymlongrightarrow}\isanewline
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	157	\isaindent{\ {\isadigit{1}}{\isachardot}\ {\isasymAnd}p{\isachardot}\ {\isasymlbrakk}{\isasymforall}t{\isachardot}\ {\isacharparenleft}{\isasymforall}p{\isachardot}\ }{\isacharparenleft}{\isasymexists}i{\isachardot}\ p\ i\ {\isasymin}\ A{\isacharparenright}{\isacharparenright}{\isacharsemicolon}\isanewline
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	158	\isaindent{\ {\isadigit{1}}{\isachardot}\ {\isasymAnd}p{\isachardot}\ \ }{\isasymforall}i{\isachardot}\ {\isacharparenleft}p\ i{\isacharcomma}\ p\ {\isacharparenleft}Suc\ i{\isacharparenright}{\isacharparenright}\ {\isasymin}\ M{\isasymrbrakk}\isanewline
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	159	\isaindent{\ {\isadigit{1}}{\isachardot}\ {\isasymAnd}p{\isachardot}\ }{\isasymLongrightarrow}\ {\isasymexists}i{\isachardot}\ p\ i\ {\isasymin}\ A%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	160	\end{isabelle}
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	161	In this remaining case, we set \isa{t} to \isa{p\ {\isadigit{1}}}.
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	162	The rest is automatic, which is surprising because it involves
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	163	finding the instantiation \isa{{\isasymlambda}i{\isachardot}\ p\ {\isacharparenleft}i\ {\isacharplus}\ {\isadigit{1}}{\isacharparenright}}
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	164	for \isa{{\isasymforall}p}.%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	165	\end{isamarkuptxt}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	166	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	167	\isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	168	{\isacharparenleft}erule{\isacharunderscore}tac\ x\ {\isacharequal}\ {\isachardoublequoteopen}p\ {\isadigit{1}}{\isachardoublequoteclose}\ \isakeyword{in}\ allE{\isacharparenright}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	169	\isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	170	{\isacharparenleft}auto{\isacharparenright}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	171	\isacommand{done}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	172	%
17056 05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	173	\endisatagproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	174	{\isafoldproof}%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	175	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	176	\isadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	177	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	178	\endisadelimproof
11866 fbd097aec213 updated; wenzelm parents: 11706 diff changeset	179	%
10123 9469c039ff57 * empty log message * nipkow parents: diff changeset	180	\begin{isamarkuptext}%
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10866 diff changeset	181	The opposite inclusion is proved by contradiction: if some state
10159 a72ddfdbfca0 * empty log message * nipkow parents: 10149 diff changeset	182	\isa{s} is not in \isa{lfp\ {\isacharparenleft}af\ A{\isacharparenright}}, then we can construct an
11494 23a118849801 revisions and indexing paulson parents: 11231 diff changeset	183	infinite \isa{A}-avoiding path starting from~\isa{s}. The reason is
10123 9469c039ff57 * empty log message * nipkow parents: diff changeset	184	that by unfolding \isa{lfp} we find that if \isa{s} is not in
9469c039ff57 * empty log message * nipkow parents: diff changeset	185	\isa{lfp\ {\isacharparenleft}af\ A{\isacharparenright}}, then \isa{s} is not in \isa{A} and there is a
10983 59961d32b1ae * empty log message * nipkow parents: 10971 diff changeset	186	direct successor of \isa{s} that is again not in \mbox{\isa{lfp\ {\isacharparenleft}af\ A{\isacharparenright}}}. Iterating this argument yields the promised infinite
10123 9469c039ff57 * empty log message * nipkow parents: diff changeset	187	\isa{A}-avoiding path. Let us formalize this sketch.
9469c039ff57 * empty log message * nipkow parents: diff changeset	188
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10866 diff changeset	189	The one-step argument in the sketch above
bda1701848cd lcp's suggestions for CTL paulson parents: 10866 diff changeset	190	is proved by a variant of contraposition:%
10123 9469c039ff57 * empty log message * nipkow parents: diff changeset	191	\end{isamarkuptext}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	192	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	193	\isacommand{lemma}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	194	\ not{\isacharunderscore}in{\isacharunderscore}lfp{\isacharunderscore}afD{\isacharcolon}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	195	\ {\isachardoublequoteopen}s\ {\isasymnotin}\ lfp{\isacharparenleft}af\ A{\isacharparenright}\ {\isasymLongrightarrow}\ s\ {\isasymnotin}\ A\ {\isasymand}\ {\isacharparenleft}{\isasymexists}\ t{\isachardot}\ {\isacharparenleft}s{\isacharcomma}t{\isacharparenright}\ {\isasymin}\ M\ {\isasymand}\ t\ {\isasymnotin}\ lfp{\isacharparenleft}af\ A{\isacharparenright}{\isacharparenright}{\isachardoublequoteclose}\isanewline
17056 05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	196	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	197	\isadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	198	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	199	\endisadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	200	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	201	\isatagproof
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	202	\isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	203	{\isacharparenleft}erule\ contrapos{\isacharunderscore}np{\isacharparenright}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	204	\isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	205	{\isacharparenleft}subst\ lfp{\isacharunderscore}unfold{\isacharbrackleft}OF\ mono{\isacharunderscore}af{\isacharbrackright}{\isacharparenright}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	206	\isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	207	{\isacharparenleft}simp\ add{\isacharcolon}\ af{\isacharunderscore}def{\isacharparenright}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	208	\isacommand{done}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	209	%
17056 05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	210	\endisatagproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	211	{\isafoldproof}%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	212	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	213	\isadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	214	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	215	\endisadelimproof
11866 fbd097aec213 updated; wenzelm parents: 11706 diff changeset	216	%
10123 9469c039ff57 * empty log message * nipkow parents: diff changeset	217	\begin{isamarkuptext}%
9469c039ff57 * empty log message * nipkow parents: diff changeset	218	\noindent
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10866 diff changeset	219	We assume the negation of the conclusion and prove \isa{s\ {\isasymin}\ lfp\ {\isacharparenleft}af\ A{\isacharparenright}}.
10237 875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	220	Unfolding \isa{lfp} once and
10123 9469c039ff57 * empty log message * nipkow parents: diff changeset	221	simplifying with the definition of \isa{af} finishes the proof.
9469c039ff57 * empty log message * nipkow parents: diff changeset	222
9469c039ff57 * empty log message * nipkow parents: diff changeset	223	Now we iterate this process. The following construction of the desired
10895 79194f07d356 * empty log message * nipkow parents: 10878 diff changeset	224	path is parameterized by a predicate \isa{Q} that should hold along the path:%
10123 9469c039ff57 * empty log message * nipkow parents: diff changeset	225	\end{isamarkuptext}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	226	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	227	\isacommand{primrec}\isamarkupfalse%
27015 f8537d69f514 * empty log message * nipkow parents: 21261 diff changeset	228	\ path\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}state\ {\isasymRightarrow}\ {\isacharparenleft}state\ {\isasymRightarrow}\ bool{\isacharparenright}\ {\isasymRightarrow}\ {\isacharparenleft}nat\ {\isasymRightarrow}\ state{\isacharparenright}{\isachardoublequoteclose}\ \isakeyword{where}\isanewline
f8537d69f514 * empty log message * nipkow parents: 21261 diff changeset	229	{\isachardoublequoteopen}path\ s\ Q\ {\isadigit{0}}\ {\isacharequal}\ s{\isachardoublequoteclose}\ {\isacharbar}\isanewline
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	230	{\isachardoublequoteopen}path\ s\ Q\ {\isacharparenleft}Suc\ n{\isacharparenright}\ {\isacharequal}\ {\isacharparenleft}SOME\ t{\isachardot}\ {\isacharparenleft}path\ s\ Q\ n{\isacharcomma}t{\isacharparenright}\ {\isasymin}\ M\ {\isasymand}\ Q\ t{\isacharparenright}{\isachardoublequoteclose}%
10123 9469c039ff57 * empty log message * nipkow parents: diff changeset	231	\begin{isamarkuptext}%
9469c039ff57 * empty log message * nipkow parents: diff changeset	232	\noindent
12699 deae80045527 * empty log message * nipkow parents: 12489 diff changeset	233	Element \isa{n\ {\isacharplus}\ {\isadigit{1}}} on this path is some arbitrary successor
10895 79194f07d356 * empty log message * nipkow parents: 10878 diff changeset	234	\isa{t} of element \isa{n} such that \isa{Q\ t} holds. Remember that \isa{SOME\ t{\isachardot}\ R\ t}
10654 458068404143 * empty log message * nipkow parents: 10645 diff changeset	235	is some arbitrary but fixed \isa{t} such that \isa{R\ t} holds (see \S\ref{sec:SOME}). Of
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10866 diff changeset	236	course, such a \isa{t} need not exist, but that is of no
bda1701848cd lcp's suggestions for CTL paulson parents: 10866 diff changeset	237	concern to us since we will only use \isa{path} when a
10123 9469c039ff57 * empty log message * nipkow parents: diff changeset	238	suitable \isa{t} does exist.
9469c039ff57 * empty log message * nipkow parents: diff changeset	239
10895 79194f07d356 * empty log message * nipkow parents: 10878 diff changeset	240	Let us show that if each state \isa{s} that satisfies \isa{Q}
79194f07d356 * empty log message * nipkow parents: 10878 diff changeset	241	has a successor that again satisfies \isa{Q}, then there exists an infinite \isa{Q}-path:%
10123 9469c039ff57 * empty log message * nipkow parents: diff changeset	242	\end{isamarkuptext}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	243	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	244	\isacommand{lemma}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	245	\ infinity{\isacharunderscore}lemma{\isacharcolon}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	246	\ \ {\isachardoublequoteopen}{\isasymlbrakk}\ Q\ s{\isacharsemicolon}\ {\isasymforall}s{\isachardot}\ Q\ s\ {\isasymlongrightarrow}\ {\isacharparenleft}{\isasymexists}\ t{\isachardot}\ {\isacharparenleft}s{\isacharcomma}t{\isacharparenright}\ {\isasymin}\ M\ {\isasymand}\ Q\ t{\isacharparenright}\ {\isasymrbrakk}\ {\isasymLongrightarrow}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	247	\ \ \ {\isasymexists}p{\isasymin}Paths\ s{\isachardot}\ {\isasymforall}i{\isachardot}\ Q{\isacharparenleft}p\ i{\isacharparenright}{\isachardoublequoteclose}%
17056 05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	248	\isadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	249	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	250	\endisadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	251	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	252	\isatagproof
16069 3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	253	%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	254	\begin{isamarkuptxt}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	255	\noindent
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	256	First we rephrase the conclusion slightly because we need to prove simultaneously
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	257	both the path property and the fact that \isa{Q} holds:%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	258	\end{isamarkuptxt}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	259	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	260	\isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	261	{\isacharparenleft}subgoal{\isacharunderscore}tac\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	262	\ \ {\isachardoublequoteopen}{\isasymexists}p{\isachardot}\ s\ {\isacharequal}\ p\ {\isadigit{0}}\ {\isasymand}\ {\isacharparenleft}{\isasymforall}i{\isacharcolon}{\isacharcolon}nat{\isachardot}\ {\isacharparenleft}p\ i{\isacharcomma}\ p{\isacharparenleft}i{\isacharplus}{\isadigit{1}}{\isacharparenright}{\isacharparenright}\ {\isasymin}\ M\ {\isasymand}\ Q{\isacharparenleft}p\ i{\isacharparenright}{\isacharparenright}{\isachardoublequoteclose}{\isacharparenright}%
16069 3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	263	\begin{isamarkuptxt}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	264	\noindent
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	265	From this proposition the original goal follows easily:%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	266	\end{isamarkuptxt}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	267	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	268	\ \isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	269	{\isacharparenleft}simp\ add{\isacharcolon}\ Paths{\isacharunderscore}def{\isacharcomma}\ blast{\isacharparenright}%
16069 3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	270	\begin{isamarkuptxt}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	271	\noindent
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	272	The new subgoal is proved by providing the witness \isa{path\ s\ Q} for \isa{p}:%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	273	\end{isamarkuptxt}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	274	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	275	\isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	276	{\isacharparenleft}rule{\isacharunderscore}tac\ x\ {\isacharequal}\ {\isachardoublequoteopen}path\ s\ Q{\isachardoublequoteclose}\ \isakeyword{in}\ exI{\isacharparenright}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	277	\isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	278	{\isacharparenleft}clarsimp{\isacharparenright}%
16069 3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	279	\begin{isamarkuptxt}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	280	\noindent
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	281	After simplification and clarification, the subgoal has the following form:
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	282	\begin{isabelle}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	283	\ {\isadigit{1}}{\isachardot}\ {\isasymAnd}i{\isachardot}\ {\isasymlbrakk}Q\ s{\isacharsemicolon}\ {\isasymforall}s{\isachardot}\ Q\ s\ {\isasymlongrightarrow}\ {\isacharparenleft}{\isasymexists}t{\isachardot}\ {\isacharparenleft}s{\isacharcomma}\ t{\isacharparenright}\ {\isasymin}\ M\ {\isasymand}\ Q\ t{\isacharparenright}{\isasymrbrakk}\isanewline
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	284	\isaindent{\ {\isadigit{1}}{\isachardot}\ {\isasymAnd}i{\isachardot}\ }{\isasymLongrightarrow}\ {\isacharparenleft}path\ s\ Q\ i{\isacharcomma}\ SOME\ t{\isachardot}\ {\isacharparenleft}path\ s\ Q\ i{\isacharcomma}\ t{\isacharparenright}\ {\isasymin}\ M\ {\isasymand}\ Q\ t{\isacharparenright}\ {\isasymin}\ M\ {\isasymand}\isanewline
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	285	\isaindent{\ {\isadigit{1}}{\isachardot}\ {\isasymAnd}i{\isachardot}\ {\isasymLongrightarrow}\ }Q\ {\isacharparenleft}path\ s\ Q\ i{\isacharparenright}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	286	\end{isabelle}
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	287	It invites a proof by induction on \isa{i}:%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	288	\end{isamarkuptxt}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	289	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	290	\isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	291	{\isacharparenleft}induct{\isacharunderscore}tac\ i{\isacharparenright}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	292	\ \isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	293	{\isacharparenleft}simp{\isacharparenright}%
16069 3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	294	\begin{isamarkuptxt}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	295	\noindent
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	296	After simplification, the base case boils down to
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	297	\begin{isabelle}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	298	\ {\isadigit{1}}{\isachardot}\ {\isasymlbrakk}Q\ s{\isacharsemicolon}\ {\isasymforall}s{\isachardot}\ Q\ s\ {\isasymlongrightarrow}\ {\isacharparenleft}{\isasymexists}t{\isachardot}\ {\isacharparenleft}s{\isacharcomma}\ t{\isacharparenright}\ {\isasymin}\ M\ {\isasymand}\ Q\ t{\isacharparenright}{\isasymrbrakk}\isanewline
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	299	\isaindent{\ {\isadigit{1}}{\isachardot}\ }{\isasymLongrightarrow}\ {\isacharparenleft}s{\isacharcomma}\ SOME\ t{\isachardot}\ {\isacharparenleft}s{\isacharcomma}\ t{\isacharparenright}\ {\isasymin}\ M\ {\isasymand}\ Q\ t{\isacharparenright}\ {\isasymin}\ M%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	300	\end{isabelle}
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	301	The conclusion looks exceedingly trivial: after all, \isa{t} is chosen such that \isa{{\isacharparenleft}s{\isacharcomma}\ t{\isacharparenright}\ {\isasymin}\ M}
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	302	holds. However, we first have to show that such a \isa{t} actually exists! This reasoning
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	303	is embodied in the theorem \isa{someI{\isadigit{2}}{\isacharunderscore}ex}:
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	304	\begin{isabelle}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	305	\ \ \ \ \ {\isasymlbrakk}{\isasymexists}a{\isachardot}\ {\isacharquery}P\ a{\isacharsemicolon}\ {\isasymAnd}x{\isachardot}\ {\isacharquery}P\ x\ {\isasymLongrightarrow}\ {\isacharquery}Q\ x{\isasymrbrakk}\ {\isasymLongrightarrow}\ {\isacharquery}Q\ {\isacharparenleft}SOME\ x{\isachardot}\ {\isacharquery}P\ x{\isacharparenright}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	306	\end{isabelle}
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	307	When we apply this theorem as an introduction rule, \isa{{\isacharquery}P\ x} becomes
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	308	\isa{{\isacharparenleft}s{\isacharcomma}\ x{\isacharparenright}\ {\isasymin}\ M\ {\isasymand}\ Q\ x} and \isa{{\isacharquery}Q\ x} becomes \isa{{\isacharparenleft}s{\isacharcomma}\ x{\isacharparenright}\ {\isasymin}\ M} and we have to prove
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	309	two subgoals: \isa{{\isasymexists}a{\isachardot}\ {\isacharparenleft}s{\isacharcomma}\ a{\isacharparenright}\ {\isasymin}\ M\ {\isasymand}\ Q\ a}, which follows from the assumptions, and
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	310	\isa{{\isacharparenleft}s{\isacharcomma}\ x{\isacharparenright}\ {\isasymin}\ M\ {\isasymand}\ Q\ x\ {\isasymLongrightarrow}\ {\isacharparenleft}s{\isacharcomma}\ x{\isacharparenright}\ {\isasymin}\ M}, which is trivial. Thus it is not surprising that
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	311	\isa{fast} can prove the base case quickly:%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	312	\end{isamarkuptxt}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	313	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	314	\ \isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	315	{\isacharparenleft}fast\ intro{\isacharcolon}\ someI{\isadigit{2}}{\isacharunderscore}ex{\isacharparenright}%
16069 3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	316	\begin{isamarkuptxt}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	317	\noindent
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	318	What is worth noting here is that we have used \methdx{fast} rather than
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	319	\isa{blast}. The reason is that \isa{blast} would fail because it cannot
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	320	cope with \isa{someI{\isadigit{2}}{\isacharunderscore}ex}: unifying its conclusion with the current
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	321	subgoal is non-trivial because of the nested schematic variables. For
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	322	efficiency reasons \isa{blast} does not even attempt such unifications.
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	323	Although \isa{fast} can in principle cope with complicated unification
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	324	problems, in practice the number of unifiers arising is often prohibitive and
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	325	the offending rule may need to be applied explicitly rather than
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	326	automatically. This is what happens in the step case.
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	327
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	328	The induction step is similar, but more involved, because now we face nested
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	329	occurrences of \isa{SOME}. As a result, \isa{fast} is no longer able to
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	330	solve the subgoal and we apply \isa{someI{\isadigit{2}}{\isacharunderscore}ex} by hand. We merely
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	331	show the proof commands but do not describe the details:%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	332	\end{isamarkuptxt}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	333	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	334	\isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	335	{\isacharparenleft}simp{\isacharparenright}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	336	\isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	337	{\isacharparenleft}rule\ someI{\isadigit{2}}{\isacharunderscore}ex{\isacharparenright}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	338	\ \isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	339	{\isacharparenleft}blast{\isacharparenright}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	340	\isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	341	{\isacharparenleft}rule\ someI{\isadigit{2}}{\isacharunderscore}ex{\isacharparenright}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	342	\ \isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	343	{\isacharparenleft}blast{\isacharparenright}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	344	\isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	345	{\isacharparenleft}blast{\isacharparenright}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	346	\isacommand{done}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	347	%
17056 05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	348	\endisatagproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	349	{\isafoldproof}%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	350	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	351	\isadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	352	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	353	\endisadelimproof
11866 fbd097aec213 updated; wenzelm parents: 11706 diff changeset	354	%
10159 a72ddfdbfca0 * empty log message * nipkow parents: 10149 diff changeset	355	\begin{isamarkuptext}%
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10866 diff changeset	356	Function \isa{path} has fulfilled its purpose now and can be forgotten.
bda1701848cd lcp's suggestions for CTL paulson parents: 10866 diff changeset	357	It was merely defined to provide the witness in the proof of the
10171 59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	358	\isa{infinity{\isacharunderscore}lemma}. Aficionados of minimal proofs might like to know
10159 a72ddfdbfca0 * empty log message * nipkow parents: 10149 diff changeset	359	that we could have given the witness without having to define a new function:
a72ddfdbfca0 * empty log message * nipkow parents: 10149 diff changeset	360	the term
a72ddfdbfca0 * empty log message * nipkow parents: 10149 diff changeset	361	\begin{isabelle}%
10895 79194f07d356 * empty log message * nipkow parents: 10878 diff changeset	362	\ \ \ \ \ nat{\isacharunderscore}rec\ s\ {\isacharparenleft}{\isasymlambda}n\ t{\isachardot}\ SOME\ u{\isachardot}\ {\isacharparenleft}t{\isacharcomma}\ u{\isacharparenright}\ {\isasymin}\ M\ {\isasymand}\ Q\ u{\isacharparenright}%
10159 a72ddfdbfca0 * empty log message * nipkow parents: 10149 diff changeset	363	\end{isabelle}
10895 79194f07d356 * empty log message * nipkow parents: 10878 diff changeset	364	is extensionally equal to \isa{path\ s\ Q},
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10866 diff changeset	365	where \isa{nat{\isacharunderscore}rec} is the predefined primitive recursor on \isa{nat}.%
10159 a72ddfdbfca0 * empty log message * nipkow parents: 10149 diff changeset	366	\end{isamarkuptext}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	367	\isamarkuptrue%
17056 05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	368	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	369	\isadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	370	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	371	\endisadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	372	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	373	\isatagproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	374	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	375	\endisatagproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	376	{\isafoldproof}%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	377	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	378	\isadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	379	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	380	\endisadelimproof
10159 a72ddfdbfca0 * empty log message * nipkow parents: 10149 diff changeset	381	%
a72ddfdbfca0 * empty log message * nipkow parents: 10149 diff changeset	382	\begin{isamarkuptext}%
10187 0376cccd9118 * empty log message * nipkow parents: 10186 diff changeset	383	At last we can prove the opposite direction of \isa{AF{\isacharunderscore}lemma{\isadigit{1}}}:%
10159 a72ddfdbfca0 * empty log message * nipkow parents: 10149 diff changeset	384	\end{isamarkuptext}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	385	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	386	\isacommand{theorem}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	387	\ AF{\isacharunderscore}lemma{\isadigit{2}}{\isacharcolon}\ {\isachardoublequoteopen}{\isacharbraceleft}s{\isachardot}\ {\isasymforall}p\ {\isasymin}\ Paths\ s{\isachardot}\ {\isasymexists}i{\isachardot}\ p\ i\ {\isasymin}\ A{\isacharbraceright}\ {\isasymsubseteq}\ lfp{\isacharparenleft}af\ A{\isacharparenright}{\isachardoublequoteclose}%
17056 05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	388	\isadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	389	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	390	\endisadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	391	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	392	\isatagproof
16069 3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	393	%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	394	\begin{isamarkuptxt}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	395	\noindent
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	396	The proof is again pointwise and then by contraposition:%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	397	\end{isamarkuptxt}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	398	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	399	\isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	400	{\isacharparenleft}rule\ subsetI{\isacharparenright}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	401	\isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	402	{\isacharparenleft}erule\ contrapos{\isacharunderscore}pp{\isacharparenright}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	403	\isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	404	\ simp%
16069 3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	405	\begin{isamarkuptxt}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	406	\begin{isabelle}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	407	\ {\isadigit{1}}{\isachardot}\ {\isasymAnd}x{\isachardot}\ x\ {\isasymnotin}\ lfp\ {\isacharparenleft}af\ A{\isacharparenright}\ {\isasymLongrightarrow}\ {\isasymexists}p{\isasymin}Paths\ x{\isachardot}\ {\isasymforall}i{\isachardot}\ p\ i\ {\isasymnotin}\ A%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	408	\end{isabelle}
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	409	Applying the \isa{infinity{\isacharunderscore}lemma} as a destruction rule leaves two subgoals, the second
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	410	premise of \isa{infinity{\isacharunderscore}lemma} and the original subgoal:%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	411	\end{isamarkuptxt}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	412	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	413	\isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	414	{\isacharparenleft}drule\ infinity{\isacharunderscore}lemma{\isacharparenright}%
16069 3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	415	\begin{isamarkuptxt}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	416	\begin{isabelle}%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	417	\ {\isadigit{1}}{\isachardot}\ {\isasymAnd}x{\isachardot}\ {\isasymforall}s{\isachardot}\ s\ {\isasymnotin}\ lfp\ {\isacharparenleft}af\ A{\isacharparenright}\ {\isasymlongrightarrow}\ {\isacharparenleft}{\isasymexists}t{\isachardot}\ {\isacharparenleft}s{\isacharcomma}\ t{\isacharparenright}\ {\isasymin}\ M\ {\isasymand}\ t\ {\isasymnotin}\ lfp\ {\isacharparenleft}af\ A{\isacharparenright}{\isacharparenright}\isanewline
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	418	\ {\isadigit{2}}{\isachardot}\ {\isasymAnd}x{\isachardot}\ {\isasymexists}p{\isasymin}Paths\ x{\isachardot}\ {\isasymforall}i{\isachardot}\ p\ i\ {\isasymnotin}\ lfp\ {\isacharparenleft}af\ A{\isacharparenright}\ {\isasymLongrightarrow}\isanewline
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	419	\isaindent{\ {\isadigit{2}}{\isachardot}\ {\isasymAnd}x{\isachardot}\ }{\isasymexists}p{\isasymin}Paths\ x{\isachardot}\ {\isasymforall}i{\isachardot}\ p\ i\ {\isasymnotin}\ A%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	420	\end{isabelle}
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	421	Both are solved automatically:%
3f2a9f400168 * empty log message * nipkow parents: 15904 diff changeset	422	\end{isamarkuptxt}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	423	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	424	\ \isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	425	{\isacharparenleft}auto\ dest{\isacharcolon}\ not{\isacharunderscore}in{\isacharunderscore}lfp{\isacharunderscore}afD{\isacharparenright}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	426	\isacommand{done}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	427	%
17056 05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	428	\endisatagproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	429	{\isafoldproof}%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	430	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	431	\isadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	432	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	433	\endisadelimproof
11866 fbd097aec213 updated; wenzelm parents: 11706 diff changeset	434	%
10159 a72ddfdbfca0 * empty log message * nipkow parents: 10149 diff changeset	435	\begin{isamarkuptext}%
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10866 diff changeset	436	If you find these proofs too complicated, we recommend that you read
bda1701848cd lcp's suggestions for CTL paulson parents: 10866 diff changeset	437	\S\ref{sec:CTL-revisited}, where we show how inductive definitions lead to
10217 e61e7e1eacaf * empty log message * nipkow parents: 10212 diff changeset	438	simpler arguments.
e61e7e1eacaf * empty log message * nipkow parents: 10212 diff changeset	439
e61e7e1eacaf * empty log message * nipkow parents: 10212 diff changeset	440	The main theorem is proved as for PDL, except that we also derive the
e61e7e1eacaf * empty log message * nipkow parents: 10212 diff changeset	441	necessary equality \isa{lfp{\isacharparenleft}af\ A{\isacharparenright}\ {\isacharequal}\ {\isachardot}{\isachardot}{\isachardot}} by combining
e61e7e1eacaf * empty log message * nipkow parents: 10212 diff changeset	442	\isa{AF{\isacharunderscore}lemma{\isadigit{1}}} and \isa{AF{\isacharunderscore}lemma{\isadigit{2}}} on the spot:%
10159 a72ddfdbfca0 * empty log message * nipkow parents: 10149 diff changeset	443	\end{isamarkuptext}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	444	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	445	\isacommand{theorem}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	446	\ {\isachardoublequoteopen}mc\ f\ {\isacharequal}\ {\isacharbraceleft}s{\isachardot}\ s\ {\isasymTurnstile}\ f{\isacharbraceright}{\isachardoublequoteclose}\isanewline
17056 05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	447	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	448	\isadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	449	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	450	\endisadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	451	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	452	\isatagproof
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	453	\isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	454	{\isacharparenleft}induct{\isacharunderscore}tac\ f{\isacharparenright}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	455	\isacommand{apply}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	456	{\isacharparenleft}auto\ simp\ add{\isacharcolon}\ EF{\isacharunderscore}lemma\ equalityI{\isacharbrackleft}OF\ AF{\isacharunderscore}lemma{\isadigit{1}}\ AF{\isacharunderscore}lemma{\isadigit{2}}{\isacharbrackright}{\isacharparenright}\isanewline
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	457	\isacommand{done}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	458	%
17056 05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	459	\endisatagproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	460	{\isafoldproof}%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	461	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	462	\isadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	463	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	464	\endisadelimproof
11866 fbd097aec213 updated; wenzelm parents: 11706 diff changeset	465	%
10159 a72ddfdbfca0 * empty log message * nipkow parents: 10149 diff changeset	466	\begin{isamarkuptext}%
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10866 diff changeset	467	The language defined above is not quite CTL\@. The latter also includes an
10983 59961d32b1ae * empty log message * nipkow parents: 10971 diff changeset	468	until-operator \isa{EU\ f\ g} with semantics ``there \emph{E}xists a path
11494 23a118849801 revisions and indexing paulson parents: 11231 diff changeset	469	where \isa{f} is true \emph{U}ntil \isa{g} becomes true''. We need
23a118849801 revisions and indexing paulson parents: 11231 diff changeset	470	an auxiliary function:%
10281 9554ce1c2e54 * empty log message * nipkow parents: 10242 diff changeset	471	\end{isamarkuptext}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	472	\isamarkuptrue%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	473	\isacommand{primrec}\isamarkupfalse%
1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	474	\isanewline
27027 63f0b638355c * empty log message * nipkow parents: 27015 diff changeset	475	until{\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}state\ set\ {\isasymRightarrow}\ state\ set\ {\isasymRightarrow}\ state\ {\isasymRightarrow}\ state\ list\ {\isasymRightarrow}\ bool{\isachardoublequoteclose}\ \isakeyword{where}\isanewline
63f0b638355c * empty log message * nipkow parents: 27015 diff changeset	476	{\isachardoublequoteopen}until\ A\ B\ s\ {\isacharbrackleft}{\isacharbrackright}\ \ \ \ {\isacharequal}\ {\isacharparenleft}s\ {\isasymin}\ B{\isacharparenright}{\isachardoublequoteclose}\ {\isacharbar}\isanewline
17181 5f42dd5e6570 updated; wenzelm parents: 17175 diff changeset	477	{\isachardoublequoteopen}until\ A\ B\ s\ {\isacharparenleft}t{\isacharhash}p{\isacharparenright}\ {\isacharequal}\ {\isacharparenleft}s\ {\isasymin}\ A\ {\isasymand}\ {\isacharparenleft}s{\isacharcomma}t{\isacharparenright}\ {\isasymin}\ M\ {\isasymand}\ until\ A\ B\ t\ p{\isacharparenright}{\isachardoublequoteclose}%
10281 9554ce1c2e54 * empty log message * nipkow parents: 10242 diff changeset	478	\begin{isamarkuptext}%
9554ce1c2e54 * empty log message * nipkow parents: 10242 diff changeset	479	\noindent
11494 23a118849801 revisions and indexing paulson parents: 11231 diff changeset	480	Expressing the semantics of \isa{EU} is now straightforward:
10171 59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	481	\begin{isabelle}%
10983 59961d32b1ae * empty log message * nipkow parents: 10971 diff changeset	482	\ \ \ \ \ s\ {\isasymTurnstile}\ EU\ f\ g\ {\isacharequal}\ {\isacharparenleft}{\isasymexists}p{\isachardot}\ until\ {\isacharbraceleft}t{\isachardot}\ t\ {\isasymTurnstile}\ f{\isacharbraceright}\ {\isacharbraceleft}t{\isachardot}\ t\ {\isasymTurnstile}\ g{\isacharbraceright}\ s\ p{\isacharparenright}%
10171 59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	483	\end{isabelle}
10281 9554ce1c2e54 * empty log message * nipkow parents: 10242 diff changeset	484	Note that \isa{EU} is not definable in terms of the other operators!
9554ce1c2e54 * empty log message * nipkow parents: 10242 diff changeset	485
9554ce1c2e54 * empty log message * nipkow parents: 10242 diff changeset	486	Model checking \isa{EU} is again a least fixed point construction:
10171 59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	487	\begin{isabelle}%
10839 1f93f5a27de6 * empty log message * nipkow parents: 10801 diff changeset	488	\ \ \ \ \ mc{\isacharparenleft}EU\ f\ g{\isacharparenright}\ {\isacharequal}\ lfp{\isacharparenleft}{\isasymlambda}T{\isachardot}\ mc\ g\ {\isasymunion}\ mc\ f\ {\isasyminter}\ {\isacharparenleft}M{\isasyminverse}\ {\isacharbackquote}{\isacharbackquote}\ T{\isacharparenright}{\isacharparenright}%
10171 59d6633835fa * empty log message * nipkow parents: 10159 diff changeset	489	\end{isabelle}
10281 9554ce1c2e54 * empty log message * nipkow parents: 10242 diff changeset	490
9554ce1c2e54 * empty log message * nipkow parents: 10242 diff changeset	491	\begin{exercise}
9554ce1c2e54 * empty log message * nipkow parents: 10242 diff changeset	492	Extend the datatype of formulae by the above until operator
9554ce1c2e54 * empty log message * nipkow parents: 10242 diff changeset	493	and prove the equivalence between semantics and model checking, i.e.\ that
10186 499637e8f2c6 * empty log message * nipkow parents: 10178 diff changeset	494	\begin{isabelle}%
499637e8f2c6 * empty log message * nipkow parents: 10178 diff changeset	495	\ \ \ \ \ mc\ {\isacharparenleft}EU\ f\ g{\isacharparenright}\ {\isacharequal}\ {\isacharbraceleft}s{\isachardot}\ s\ {\isasymTurnstile}\ EU\ f\ g{\isacharbraceright}%
499637e8f2c6 * empty log message * nipkow parents: 10178 diff changeset	496	\end{isabelle}
499637e8f2c6 * empty log message * nipkow parents: 10178 diff changeset	497	%For readability you may want to annotate {term EU} with its customary syntax
499637e8f2c6 * empty log message * nipkow parents: 10178 diff changeset	498	%{text[display]"\| EU formula formula E[_ U _]"}
499637e8f2c6 * empty log message * nipkow parents: 10178 diff changeset	499	%which enables you to read and write {text"E[f U g]"} instead of {term"EU f g"}.
499637e8f2c6 * empty log message * nipkow parents: 10178 diff changeset	500	\end{exercise}
10867 bda1701848cd lcp's suggestions for CTL paulson parents: 10866 diff changeset	501	For more CTL exercises see, for example, Huth and Ryan \cite{Huth-Ryan-book}.%
10281 9554ce1c2e54 * empty log message * nipkow parents: 10242 diff changeset	502	\end{isamarkuptext}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	503	\isamarkuptrue%
17056 05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	504	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	505	\isadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	506	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	507	\endisadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	508	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	509	\isatagproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	510	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	511	\endisatagproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	512	{\isafoldproof}%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	513	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	514	\isadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	515	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	516	\endisadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	517	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	518	\isadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	519	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	520	\endisadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	521	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	522	\isatagproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	523	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	524	\endisatagproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	525	{\isafoldproof}%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	526	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	527	\isadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	528	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	529	\endisadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	530	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	531	\isadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	532	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	533	\endisadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	534	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	535	\isatagproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	536	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	537	\endisatagproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	538	{\isafoldproof}%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	539	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	540	\isadelimproof
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	541	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	542	\endisadelimproof
10281 9554ce1c2e54 * empty log message * nipkow parents: 10242 diff changeset	543	%
9554ce1c2e54 * empty log message * nipkow parents: 10242 diff changeset	544	\begin{isamarkuptext}%
12334 60bf75e157e4 * empty log message * nipkow parents: 12332 diff changeset	545	Let us close this section with a few words about the executability of
60bf75e157e4 * empty log message * nipkow parents: 12332 diff changeset	546	our model checkers. It is clear that if all sets are finite, they can be
60bf75e157e4 * empty log message * nipkow parents: 12332 diff changeset	547	represented as lists and the usual set operations are easily
60bf75e157e4 * empty log message * nipkow parents: 12332 diff changeset	548	implemented. Only \isa{lfp} requires a little thought. Fortunately, theory
12473 f41e477576b9 * empty log message * nipkow parents: 12334 diff changeset	549	\isa{While{\isacharunderscore}Combinator} in the Library~\cite{HOL-Library} provides a
12334 60bf75e157e4 * empty log message * nipkow parents: 12332 diff changeset	550	theorem stating that in the case of finite sets and a monotone
60bf75e157e4 * empty log message * nipkow parents: 12332 diff changeset	551	function~\isa{F}, the value of \mbox{\isa{lfp\ F}} can be computed by
60bf75e157e4 * empty log message * nipkow parents: 12332 diff changeset	552	iterated application of \isa{F} to~\isa{{\isacharbraceleft}{\isacharbraceright}} until a fixed point is
60bf75e157e4 * empty log message * nipkow parents: 12332 diff changeset	553	reached. It is actually possible to generate executable functional programs
10159 a72ddfdbfca0 * empty log message * nipkow parents: 10149 diff changeset	554	from HOL definitions, but that is beyond the scope of the tutorial.%
11494 23a118849801 revisions and indexing paulson parents: 11231 diff changeset	555	\index{CTL\|)}%
10159 a72ddfdbfca0 * empty log message * nipkow parents: 10149 diff changeset	556	\end{isamarkuptext}%
17175 1eced27ee0e1 updated; wenzelm parents: 17056 diff changeset	557	\isamarkuptrue%
17056 05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	558	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	559	\isadelimtheory
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	560	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	561	\endisadelimtheory
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	562	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	563	\isatagtheory
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	564	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	565	\endisatagtheory
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	566	{\isafoldtheory}%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	567	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	568	\isadelimtheory
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	569	%
05fc32a23b8b updated; wenzelm parents: 16069 diff changeset	570	\endisadelimtheory
10123 9469c039ff57 * empty log message * nipkow parents: diff changeset	571	\end{isabellebody}%
9469c039ff57 * empty log message * nipkow parents: diff changeset	572	%%% Local Variables:
9469c039ff57 * empty log message * nipkow parents: diff changeset	573	%%% mode: latex
9469c039ff57 * empty log message * nipkow parents: diff changeset	574	%%% TeX-master: "root"
9469c039ff57 * empty log message * nipkow parents: diff changeset	575	%%% End:

author	immler@in.tum.de
	Tue, 20 Jan 2009 18:10:25 +0100
changeset 29591	cf1289d98902
parent 27027	63f0b638355c
child 40406	313a24b66a8d
permissions	-rw-r--r--