isabelle: doc-src/TutorialI/CTL/CTL.thy@e187dacd248f (annotated)

10133 e187dacd248f * empty log message * nipkow parents: 10000 diff changeset	1	(<)theory CTL = Base:(>)
9958 67f2920862c7 * empty log message * nipkow parents: diff changeset	2
10133 e187dacd248f * empty log message * nipkow parents: 10000 diff changeset	3	subsection{Computation tree logic---CTL}
9958 67f2920862c7 * empty log message * nipkow parents: diff changeset	4
67f2920862c7 * empty log message * nipkow parents: diff changeset	5	datatype ctl_form = Atom atom
67f2920862c7 * empty log message * nipkow parents: diff changeset	6	\| NOT ctl_form
67f2920862c7 * empty log message * nipkow parents: diff changeset	7	\| And ctl_form ctl_form
67f2920862c7 * empty log message * nipkow parents: diff changeset	8	\| AX ctl_form
67f2920862c7 * empty log message * nipkow parents: diff changeset	9	\| EF ctl_form
67f2920862c7 * empty log message * nipkow parents: diff changeset	10	\| AF ctl_form;
67f2920862c7 * empty log message * nipkow parents: diff changeset	11
67f2920862c7 * empty log message * nipkow parents: diff changeset	12	consts valid :: "state \<Rightarrow> ctl_form \<Rightarrow> bool" ("(_ \<Turnstile> _)" [80,80] 80)
67f2920862c7 * empty log message * nipkow parents: diff changeset	13
67f2920862c7 * empty log message * nipkow parents: diff changeset	14	constdefs Paths :: "state \<Rightarrow> (nat \<Rightarrow> state)set"
67f2920862c7 * empty log message * nipkow parents: diff changeset	15	"Paths s \<equiv> {p. s = p 0 \<and> (\<forall>i. (p i, p(i+1)) \<in> M)}";
67f2920862c7 * empty log message * nipkow parents: diff changeset	16
67f2920862c7 * empty log message * nipkow parents: diff changeset	17	primrec
10133 e187dacd248f * empty log message * nipkow parents: 10000 diff changeset	18	"s \<Turnstile> Atom a = (a \<in> L s)"
9958 67f2920862c7 * empty log message * nipkow parents: diff changeset	19	"s \<Turnstile> NOT f = (~(s \<Turnstile> f))"
67f2920862c7 * empty log message * nipkow parents: diff changeset	20	"s \<Turnstile> And f g = (s \<Turnstile> f \<and> s \<Turnstile> g)"
67f2920862c7 * empty log message * nipkow parents: diff changeset	21	"s \<Turnstile> AX f = (\<forall>t. (s,t) \<in> M \<longrightarrow> t \<Turnstile> f)"
67f2920862c7 * empty log message * nipkow parents: diff changeset	22	"s \<Turnstile> EF f = (\<exists>t. (s,t) \<in> M^* \<and> t \<Turnstile> f)"
67f2920862c7 * empty log message * nipkow parents: diff changeset	23	"s \<Turnstile> AF f = (\<forall>p \<in> Paths s. \<exists>i. p i \<Turnstile> f)";
67f2920862c7 * empty log message * nipkow parents: diff changeset	24
67f2920862c7 * empty log message * nipkow parents: diff changeset	25	constdefs af :: "state set \<Rightarrow> state set \<Rightarrow> state set"
67f2920862c7 * empty log message * nipkow parents: diff changeset	26	"af A T \<equiv> A \<union> {s. \<forall>t. (s, t) \<in> M \<longrightarrow> t \<in> T}";
67f2920862c7 * empty log message * nipkow parents: diff changeset	27
67f2920862c7 * empty log message * nipkow parents: diff changeset	28	lemma mono_af: "mono(af A)";
67f2920862c7 * empty log message * nipkow parents: diff changeset	29	by(force simp add: af_def intro:monoI);
67f2920862c7 * empty log message * nipkow parents: diff changeset	30
67f2920862c7 * empty log message * nipkow parents: diff changeset	31	consts mc :: "ctl_form \<Rightarrow> state set";
67f2920862c7 * empty log message * nipkow parents: diff changeset	32	primrec
10133 e187dacd248f * empty log message * nipkow parents: 10000 diff changeset	33	"mc(Atom a) = {s. a \<in> L s}"
9958 67f2920862c7 * empty log message * nipkow parents: diff changeset	34	"mc(NOT f) = -mc f"
67f2920862c7 * empty log message * nipkow parents: diff changeset	35	"mc(And f g) = mc f \<inter> mc g"
67f2920862c7 * empty log message * nipkow parents: diff changeset	36	"mc(AX f) = {s. \<forall>t. (s,t) \<in> M \<longrightarrow> t \<in> mc f}"
67f2920862c7 * empty log message * nipkow parents: diff changeset	37	"mc(EF f) = lfp(\<lambda>T. mc f \<union> {s. \<exists>t. (s,t)\<in>M \<and> t\<in>T})"
67f2920862c7 * empty log message * nipkow parents: diff changeset	38	"mc(AF f) = lfp(af(mc f))";
67f2920862c7 * empty log message * nipkow parents: diff changeset	39
67f2920862c7 * empty log message * nipkow parents: diff changeset	40	lemma mono_ef: "mono(\<lambda>T. A \<union> {s. \<exists>t. (s,t)\<in>M \<and> t\<in>T})";
67f2920862c7 * empty log message * nipkow parents: diff changeset	41	apply(rule monoI);
67f2920862c7 * empty log message * nipkow parents: diff changeset	42	by(blast);
67f2920862c7 * empty log message * nipkow parents: diff changeset	43
67f2920862c7 * empty log message * nipkow parents: diff changeset	44	lemma lfp_conv_EF:
67f2920862c7 * empty log message * nipkow parents: diff changeset	45	"lfp(\<lambda>T. A \<union> {s. \<exists>t. (s,t)\<in>M \<and> t\<in>T}) = {s. \<exists>t. (s,t) \<in> M^* \<and> t \<in> A}";
67f2920862c7 * empty log message * nipkow parents: diff changeset	46	apply(rule equalityI);
67f2920862c7 * empty log message * nipkow parents: diff changeset	47	apply(rule subsetI);
67f2920862c7 * empty log message * nipkow parents: diff changeset	48	apply(simp);
67f2920862c7 * empty log message * nipkow parents: diff changeset	49	apply(erule Lfp.induct);
67f2920862c7 * empty log message * nipkow parents: diff changeset	50	apply(rule mono_ef);
67f2920862c7 * empty log message * nipkow parents: diff changeset	51	apply(simp);
67f2920862c7 * empty log message * nipkow parents: diff changeset	52	apply(blast intro: r_into_rtrancl rtrancl_trans);
67f2920862c7 * empty log message * nipkow parents: diff changeset	53	apply(rule subsetI);
67f2920862c7 * empty log message * nipkow parents: diff changeset	54	apply(simp);
67f2920862c7 * empty log message * nipkow parents: diff changeset	55	apply(erule exE);
67f2920862c7 * empty log message * nipkow parents: diff changeset	56	apply(erule conjE);
67f2920862c7 * empty log message * nipkow parents: diff changeset	57	apply(erule_tac P = "t\<in>A" in rev_mp);
67f2920862c7 * empty log message * nipkow parents: diff changeset	58	apply(erule converse_rtrancl_induct);
67f2920862c7 * empty log message * nipkow parents: diff changeset	59	apply(rule ssubst [OF lfp_Tarski[OF mono_ef]]);
67f2920862c7 * empty log message * nipkow parents: diff changeset	60	apply(blast);
67f2920862c7 * empty log message * nipkow parents: diff changeset	61	apply(rule ssubst [OF lfp_Tarski[OF mono_ef]]);
67f2920862c7 * empty log message * nipkow parents: diff changeset	62	by(blast);
67f2920862c7 * empty log message * nipkow parents: diff changeset	63
67f2920862c7 * empty log message * nipkow parents: diff changeset	64	theorem lfp_subset_AF:
67f2920862c7 * empty log message * nipkow parents: diff changeset	65	"lfp(af A) \<subseteq> {s. \<forall> p \<in> Paths s. \<exists> i. p i \<in> A}";
67f2920862c7 * empty log message * nipkow parents: diff changeset	66	apply(rule subsetI);
67f2920862c7 * empty log message * nipkow parents: diff changeset	67	apply(erule Lfp.induct[OF _ mono_af]);
67f2920862c7 * empty log message * nipkow parents: diff changeset	68	apply(simp add: af_def Paths_def);
67f2920862c7 * empty log message * nipkow parents: diff changeset	69	apply(erule disjE);
67f2920862c7 * empty log message * nipkow parents: diff changeset	70	apply(blast);
67f2920862c7 * empty log message * nipkow parents: diff changeset	71	apply(clarify);
67f2920862c7 * empty log message * nipkow parents: diff changeset	72	apply(erule_tac x = "p 1" in allE);
67f2920862c7 * empty log message * nipkow parents: diff changeset	73	apply(clarsimp);
67f2920862c7 * empty log message * nipkow parents: diff changeset	74	apply(erule_tac x = "\<lambda>i. p(i+1)" in allE);
67f2920862c7 * empty log message * nipkow parents: diff changeset	75	apply(simp);
67f2920862c7 * empty log message * nipkow parents: diff changeset	76	by(blast);
67f2920862c7 * empty log message * nipkow parents: diff changeset	77
67f2920862c7 * empty log message * nipkow parents: diff changeset	78	text{*
67f2920862c7 * empty log message * nipkow parents: diff changeset	79	The opposite direction is proved by contradiction: if some state
67f2920862c7 * empty log message * nipkow parents: diff changeset	80	{term s} is not in @{term"lfp(af A)"}, then we can construct an
67f2920862c7 * empty log message * nipkow parents: diff changeset	81	infinite @{term A}-avoiding path starting from @{term s}. The reason is
67f2920862c7 * empty log message * nipkow parents: diff changeset	82	that by unfolding @{term"lfp"} we find that if @{term s} is not in
67f2920862c7 * empty log message * nipkow parents: diff changeset	83	@{term"lfp(af A)"}, then @{term s} is not in @{term A} and there is a
67f2920862c7 * empty log message * nipkow parents: diff changeset	84	direct successor of @{term s} that is again not in @{term"lfp(af
67f2920862c7 * empty log message * nipkow parents: diff changeset	85	A)"}. Iterating this argument yields the promised infinite
67f2920862c7 * empty log message * nipkow parents: diff changeset	86	@{term A}-avoiding path. Let us formalize this sketch.
67f2920862c7 * empty log message * nipkow parents: diff changeset	87
67f2920862c7 * empty log message * nipkow parents: diff changeset	88	The one-step argument in the above sketch
67f2920862c7 * empty log message * nipkow parents: diff changeset	89	*};
67f2920862c7 * empty log message * nipkow parents: diff changeset	90
67f2920862c7 * empty log message * nipkow parents: diff changeset	91	lemma not_in_lfp_afD:
67f2920862c7 * empty log message * nipkow parents: diff changeset	92	"s \<notin> lfp(af A) \<Longrightarrow> s \<notin> A \<and> (\<exists> t. (s,t)\<in>M \<and> t \<notin> lfp(af A))";
67f2920862c7 * empty log message * nipkow parents: diff changeset	93	apply(erule swap);
67f2920862c7 * empty log message * nipkow parents: diff changeset	94	apply(rule ssubst[OF lfp_Tarski[OF mono_af]]);
67f2920862c7 * empty log message * nipkow parents: diff changeset	95	by(simp add:af_def);
67f2920862c7 * empty log message * nipkow parents: diff changeset	96
67f2920862c7 * empty log message * nipkow parents: diff changeset	97	text{*\noindent
67f2920862c7 * empty log message * nipkow parents: diff changeset	98	is proved by a variant of contraposition (@{thm[source]swap}:
67f2920862c7 * empty log message * nipkow parents: diff changeset	99	@{thm swap[no_vars]}), i.e.\ assuming the negation of the conclusion
67f2920862c7 * empty log message * nipkow parents: diff changeset	100	and proving @{term"s : lfp(af A)"}. Unfolding @{term lfp} once and
67f2920862c7 * empty log message * nipkow parents: diff changeset	101	simplifying with the definition of @{term af} finishes the proof.
67f2920862c7 * empty log message * nipkow parents: diff changeset	102
67f2920862c7 * empty log message * nipkow parents: diff changeset	103	Now we iterate this process. The following construction of the desired
67f2920862c7 * empty log message * nipkow parents: diff changeset	104	path is parameterized by a predicate @{term P} that should hold along the path:
67f2920862c7 * empty log message * nipkow parents: diff changeset	105	*};
67f2920862c7 * empty log message * nipkow parents: diff changeset	106
67f2920862c7 * empty log message * nipkow parents: diff changeset	107	consts path :: "state \<Rightarrow> (state \<Rightarrow> bool) \<Rightarrow> (nat \<Rightarrow> state)";
67f2920862c7 * empty log message * nipkow parents: diff changeset	108	primrec
67f2920862c7 * empty log message * nipkow parents: diff changeset	109	"path s P 0 = s"
67f2920862c7 * empty log message * nipkow parents: diff changeset	110	"path s P (Suc n) = (SOME t. (path s P n,t) \<in> M \<and> P t)";
67f2920862c7 * empty log message * nipkow parents: diff changeset	111
67f2920862c7 * empty log message * nipkow parents: diff changeset	112	text{*\noindent
67f2920862c7 * empty log message * nipkow parents: diff changeset	113	Element @{term"n+1"} on this path is some arbitrary successor
67f2920862c7 * empty log message * nipkow parents: diff changeset	114	@{term"t"} of element @{term"n"} such that @{term"P t"} holds. Of
67f2920862c7 * empty log message * nipkow parents: diff changeset	115	course, such a @{term"t"} may in general not exist, but that is of no
67f2920862c7 * empty log message * nipkow parents: diff changeset	116	concern to us since we will only use @{term path} in such cases where a
67f2920862c7 * empty log message * nipkow parents: diff changeset	117	suitable @{term"t"} does exist.
67f2920862c7 * empty log message * nipkow parents: diff changeset	118
67f2920862c7 * empty log message * nipkow parents: diff changeset	119	Now we prove that if each state @{term"s"} that satisfies @{term"P"}
67f2920862c7 * empty log message * nipkow parents: diff changeset	120	has a successor that again satisfies @{term"P"}, then there exists an infinite @{term"P"}-path.
67f2920862c7 * empty log message * nipkow parents: diff changeset	121	*};
67f2920862c7 * empty log message * nipkow parents: diff changeset	122
67f2920862c7 * empty log message * nipkow parents: diff changeset	123	lemma seq_lemma:
67f2920862c7 * empty log message * nipkow parents: diff changeset	124	"\<lbrakk> P s; \<forall>s. P s \<longrightarrow> (\<exists> t. (s,t)\<in>M \<and> P t) \<rbrakk> \<Longrightarrow> \<exists>p\<in>Paths s. \<forall>i. P(p i)";
67f2920862c7 * empty log message * nipkow parents: diff changeset	125
67f2920862c7 * empty log message * nipkow parents: diff changeset	126	txt{*\noindent
67f2920862c7 * empty log message * nipkow parents: diff changeset	127	First we rephrase the conclusion slightly because we need to prove both the path property
67f2920862c7 * empty log message * nipkow parents: diff changeset	128	and the fact that @{term"P"} holds simultaneously:
67f2920862c7 * empty log message * nipkow parents: diff changeset	129	*};
67f2920862c7 * empty log message * nipkow parents: diff changeset	130
67f2920862c7 * empty log message * nipkow parents: diff changeset	131	apply(subgoal_tac "\<exists> p. s = p 0 \<and> (\<forall> i. (p i,p(i+1)) \<in> M \<and> P(p i))");
67f2920862c7 * empty log message * nipkow parents: diff changeset	132
67f2920862c7 * empty log message * nipkow parents: diff changeset	133	txt{*\noindent
67f2920862c7 * empty log message * nipkow parents: diff changeset	134	From this proposition the original goal follows easily
67f2920862c7 * empty log message * nipkow parents: diff changeset	135	*};
67f2920862c7 * empty log message * nipkow parents: diff changeset	136
67f2920862c7 * empty log message * nipkow parents: diff changeset	137	apply(simp add:Paths_def, blast);
67f2920862c7 * empty log message * nipkow parents: diff changeset	138	apply(rule_tac x = "path s P" in exI);
67f2920862c7 * empty log message * nipkow parents: diff changeset	139	apply(simp);
67f2920862c7 * empty log message * nipkow parents: diff changeset	140	apply(intro strip);
67f2920862c7 * empty log message * nipkow parents: diff changeset	141	apply(induct_tac i);
67f2920862c7 * empty log message * nipkow parents: diff changeset	142	apply(simp);
10000 fe6ffa46266f someI2_ex; wenzelm parents: 9992 diff changeset	143	apply(fast intro:someI2_ex);
9958 67f2920862c7 * empty log message * nipkow parents: diff changeset	144	apply(simp);
10000 fe6ffa46266f someI2_ex; wenzelm parents: 9992 diff changeset	145	apply(rule someI2_ex);
9958 67f2920862c7 * empty log message * nipkow parents: diff changeset	146	apply(blast);
10000 fe6ffa46266f someI2_ex; wenzelm parents: 9992 diff changeset	147	apply(rule someI2_ex);
9958 67f2920862c7 * empty log message * nipkow parents: diff changeset	148	apply(blast);
67f2920862c7 * empty log message * nipkow parents: diff changeset	149	by(blast);
67f2920862c7 * empty log message * nipkow parents: diff changeset	150
67f2920862c7 * empty log message * nipkow parents: diff changeset	151	lemma seq_lemma:
67f2920862c7 * empty log message * nipkow parents: diff changeset	152	"\<lbrakk> P s; \<forall> s. P s \<longrightarrow> (\<exists> t. (s,t)\<in>M \<and> P t) \<rbrakk> \<Longrightarrow>
67f2920862c7 * empty log message * nipkow parents: diff changeset	153	\<exists> p\<in>Paths s. \<forall> i. P(p i)";
67f2920862c7 * empty log message * nipkow parents: diff changeset	154	apply(subgoal_tac
67f2920862c7 * empty log message * nipkow parents: diff changeset	155	"\<exists> p. s = p 0 \<and> (\<forall> i. (p i,p(Suc i))\<in>M \<and> P(p i))");
67f2920862c7 * empty log message * nipkow parents: diff changeset	156	apply(simp add:Paths_def);
67f2920862c7 * empty log message * nipkow parents: diff changeset	157	apply(blast);
67f2920862c7 * empty log message * nipkow parents: diff changeset	158	apply(rule_tac x = "nat_rec s (\<lambda>n t. SOME u. (t,u)\<in>M \<and> P u)" in exI);
67f2920862c7 * empty log message * nipkow parents: diff changeset	159	apply(simp);
67f2920862c7 * empty log message * nipkow parents: diff changeset	160	apply(intro strip);
67f2920862c7 * empty log message * nipkow parents: diff changeset	161	apply(induct_tac i);
67f2920862c7 * empty log message * nipkow parents: diff changeset	162	apply(simp);
10000 fe6ffa46266f someI2_ex; wenzelm parents: 9992 diff changeset	163	apply(fast intro:someI2_ex);
9958 67f2920862c7 * empty log message * nipkow parents: diff changeset	164	apply(simp);
10000 fe6ffa46266f someI2_ex; wenzelm parents: 9992 diff changeset	165	apply(rule someI2_ex);
9958 67f2920862c7 * empty log message * nipkow parents: diff changeset	166	apply(blast);
10000 fe6ffa46266f someI2_ex; wenzelm parents: 9992 diff changeset	167	apply(rule someI2_ex);
9958 67f2920862c7 * empty log message * nipkow parents: diff changeset	168	apply(blast);
67f2920862c7 * empty log message * nipkow parents: diff changeset	169	by(blast);
67f2920862c7 * empty log message * nipkow parents: diff changeset	170
67f2920862c7 * empty log message * nipkow parents: diff changeset	171	theorem AF_subset_lfp:
67f2920862c7 * empty log message * nipkow parents: diff changeset	172	"{s. \<forall> p \<in> Paths s. \<exists> i. p i \<in> A} \<subseteq> lfp(af A)";
67f2920862c7 * empty log message * nipkow parents: diff changeset	173	apply(rule subsetI);
67f2920862c7 * empty log message * nipkow parents: diff changeset	174	apply(erule contrapos2);
67f2920862c7 * empty log message * nipkow parents: diff changeset	175	apply simp;
67f2920862c7 * empty log message * nipkow parents: diff changeset	176	apply(drule seq_lemma);
67f2920862c7 * empty log message * nipkow parents: diff changeset	177	by(auto dest:not_in_lfp_afD);
67f2920862c7 * empty log message * nipkow parents: diff changeset	178
67f2920862c7 * empty log message * nipkow parents: diff changeset	179
67f2920862c7 * empty log message * nipkow parents: diff changeset	180	(*
67f2920862c7 * empty log message * nipkow parents: diff changeset	181	Second proof of opposite direction, directly by wellfounded induction
67f2920862c7 * empty log message * nipkow parents: diff changeset	182	on the initial segment of M that avoids A.
67f2920862c7 * empty log message * nipkow parents: diff changeset	183
67f2920862c7 * empty log message * nipkow parents: diff changeset	184	Avoid s A = the set of successors of s that can be reached by a finite A-avoiding path
67f2920862c7 * empty log message * nipkow parents: diff changeset	185	*)
67f2920862c7 * empty log message * nipkow parents: diff changeset	186
67f2920862c7 * empty log message * nipkow parents: diff changeset	187	consts Avoid :: "state \<Rightarrow> state set \<Rightarrow> state set";
67f2920862c7 * empty log message * nipkow parents: diff changeset	188	inductive "Avoid s A"
67f2920862c7 * empty log message * nipkow parents: diff changeset	189	intros "s \<in> Avoid s A"
67f2920862c7 * empty log message * nipkow parents: diff changeset	190	"\<lbrakk> t \<in> Avoid s A; t \<notin> A; (t,u) \<in> M \<rbrakk> \<Longrightarrow> u \<in> Avoid s A";
67f2920862c7 * empty log message * nipkow parents: diff changeset	191
67f2920862c7 * empty log message * nipkow parents: diff changeset	192	(* For any infinite A-avoiding path (f) in Avoid s A,
67f2920862c7 * empty log message * nipkow parents: diff changeset	193	there is some infinite A-avoiding path (p) in Avoid s A that starts with s.
67f2920862c7 * empty log message * nipkow parents: diff changeset	194	*)
67f2920862c7 * empty log message * nipkow parents: diff changeset	195	lemma ex_infinite_path[rule_format]:
67f2920862c7 * empty log message * nipkow parents: diff changeset	196	"t \<in> Avoid s A \<Longrightarrow>
67f2920862c7 * empty log message * nipkow parents: diff changeset	197	\<forall>f. t = f 0 \<longrightarrow> (\<forall>i. (f i, f (Suc i)) \<in> M \<and> f i \<in> Avoid s A \<and> f i \<notin> A)
67f2920862c7 * empty log message * nipkow parents: diff changeset	198	\<longrightarrow> (\<exists> p\<in>Paths s. \<forall>i. p i \<notin> A)";
67f2920862c7 * empty log message * nipkow parents: diff changeset	199	apply(simp add:Paths_def);
67f2920862c7 * empty log message * nipkow parents: diff changeset	200	apply(erule Avoid.induct);
67f2920862c7 * empty log message * nipkow parents: diff changeset	201	apply(blast);
67f2920862c7 * empty log message * nipkow parents: diff changeset	202	apply(rule allI);
67f2920862c7 * empty log message * nipkow parents: diff changeset	203	apply(erule_tac x = "\<lambda>i. case i of 0 \<Rightarrow> t \| Suc i \<Rightarrow> f i" in allE);
67f2920862c7 * empty log message * nipkow parents: diff changeset	204	by(force split:nat.split);
67f2920862c7 * empty log message * nipkow parents: diff changeset	205
67f2920862c7 * empty log message * nipkow parents: diff changeset	206	lemma Avoid_in_lfp[rule_format(no_asm)]:
67f2920862c7 * empty log message * nipkow parents: diff changeset	207	"\<forall>p\<in>Paths s. \<exists>i. p i \<in> A \<Longrightarrow> t \<in> Avoid s A \<longrightarrow> t \<in> lfp(af A)";
67f2920862c7 * empty log message * nipkow parents: diff changeset	208	apply(subgoal_tac "wf{(y,x). (x,y)\<in>M \<and> x \<in> Avoid s A \<and> y \<in> Avoid s A \<and> x \<notin> A}");
67f2920862c7 * empty log message * nipkow parents: diff changeset	209	apply(erule_tac a = t in wf_induct);
67f2920862c7 * empty log message * nipkow parents: diff changeset	210	apply(clarsimp);
67f2920862c7 * empty log message * nipkow parents: diff changeset	211	apply(rule ssubst [OF lfp_Tarski[OF mono_af]]);
67f2920862c7 * empty log message * nipkow parents: diff changeset	212	apply(unfold af_def);
67f2920862c7 * empty log message * nipkow parents: diff changeset	213	apply(blast intro:Avoid.intros);
67f2920862c7 * empty log message * nipkow parents: diff changeset	214	apply(erule contrapos2);
67f2920862c7 * empty log message * nipkow parents: diff changeset	215	apply(simp add:wf_iff_no_infinite_down_chain);
67f2920862c7 * empty log message * nipkow parents: diff changeset	216	apply(erule exE);
67f2920862c7 * empty log message * nipkow parents: diff changeset	217	apply(rule ex_infinite_path);
67f2920862c7 * empty log message * nipkow parents: diff changeset	218	by(auto);
67f2920862c7 * empty log message * nipkow parents: diff changeset	219
67f2920862c7 * empty log message * nipkow parents: diff changeset	220	theorem AF_subset_lfp:
67f2920862c7 * empty log message * nipkow parents: diff changeset	221	"{s. \<forall>p \<in> Paths s. \<exists> i. p i \<in> A} \<subseteq> lfp(af A)";
67f2920862c7 * empty log message * nipkow parents: diff changeset	222	apply(rule subsetI);
67f2920862c7 * empty log message * nipkow parents: diff changeset	223	apply(simp);
67f2920862c7 * empty log message * nipkow parents: diff changeset	224	apply(erule Avoid_in_lfp);
67f2920862c7 * empty log message * nipkow parents: diff changeset	225	by(rule Avoid.intros);
67f2920862c7 * empty log message * nipkow parents: diff changeset	226
67f2920862c7 * empty log message * nipkow parents: diff changeset	227
67f2920862c7 * empty log message * nipkow parents: diff changeset	228	theorem "mc f = {s. s \<Turnstile> f}";
67f2920862c7 * empty log message * nipkow parents: diff changeset	229	apply(induct_tac f);
67f2920862c7 * empty log message * nipkow parents: diff changeset	230	by(auto simp add: lfp_conv_EF equalityI[OF lfp_subset_AF AF_subset_lfp]);
67f2920862c7 * empty log message * nipkow parents: diff changeset	231
10133 e187dacd248f * empty log message * nipkow parents: 10000 diff changeset	232	(<)end(>)

author	nipkow
	Tue, 03 Oct 2000 11:26:54 +0200
changeset 10133	e187dacd248f
parent 10000	fe6ffa46266f
child 10149	7cfdf6a330a0
permissions	-rw-r--r--