isabelle: doc-src/TutorialI/CTL/PDL.thy@e187dacd248f (annotated)

10122 194c7349b6c0 * empty log message * nipkow parents: 9958 diff changeset	1	(<)theory PDL = Base:(>)
9958 67f2920862c7 * empty log message * nipkow parents: diff changeset	2
10122 194c7349b6c0 * empty log message * nipkow parents: 9958 diff changeset	3	subsection{Propositional dynmic logic---PDL}
9958 67f2920862c7 * empty log message * nipkow parents: diff changeset	4
10133 e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	5	text{*
e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	6	The formulae of PDL are built up from atomic propositions via the customary
e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	7	propositional connectives of negation and conjunction and the two temporal
e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	8	connectives @{text AX} and @{text EF}. Since formulae are essentially
e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	9	(syntax) trees, they are naturally modelled as a datatype:
e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	10	*}
9958 67f2920862c7 * empty log message * nipkow parents: diff changeset	11
10133 e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	12	datatype pdl_form = Atom atom
e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	13	\| NOT pdl_form
e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	14	\| And pdl_form pdl_form
e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	15	\| AX pdl_form
e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	16	\| EF pdl_form;
e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	17
e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	18	text{*\noindent
e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	19	The meaning of these formulae is given by saying which formula is true in
e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	20	which state:
e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	21	*}
e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	22
e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	23	consts valid :: "state \<Rightarrow> pdl_form \<Rightarrow> bool" ("(_ \<Turnstile> _)" [80,80] 80)
9958 67f2920862c7 * empty log message * nipkow parents: diff changeset	24
67f2920862c7 * empty log message * nipkow parents: diff changeset	25	primrec
10133 e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	26	"s \<Turnstile> Atom a = (a \<in> L s)"
9958 67f2920862c7 * empty log message * nipkow parents: diff changeset	27	"s \<Turnstile> NOT f = (\<not>(s \<Turnstile> f))"
67f2920862c7 * empty log message * nipkow parents: diff changeset	28	"s \<Turnstile> And f g = (s \<Turnstile> f \<and> s \<Turnstile> g)"
67f2920862c7 * empty log message * nipkow parents: diff changeset	29	"s \<Turnstile> AX f = (\<forall>t. (s,t) \<in> M \<longrightarrow> t \<Turnstile> f)"
67f2920862c7 * empty log message * nipkow parents: diff changeset	30	"s \<Turnstile> EF f = (\<exists>t. (s,t) \<in> M^* \<and> t \<Turnstile> f)";
67f2920862c7 * empty log message * nipkow parents: diff changeset	31
10133 e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	32	text{*
e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	33	Now we come to the model checker itself. It maps a formula into the set of
e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	34	states where the formula is true and is defined by recursion over the syntax:
e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	35	*}
e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	36
e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	37	consts mc :: "pdl_form \<Rightarrow> state set";
9958 67f2920862c7 * empty log message * nipkow parents: diff changeset	38	primrec
10133 e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	39	"mc(Atom a) = {s. a \<in> L s}"
9958 67f2920862c7 * empty log message * nipkow parents: diff changeset	40	"mc(NOT f) = -mc f"
10133 e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	41	"mc(And f g) = mc f \<inter> mc g"
9958 67f2920862c7 * empty log message * nipkow parents: diff changeset	42	"mc(AX f) = {s. \<forall>t. (s,t) \<in> M \<longrightarrow> t \<in> mc f}"
10133 e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	43	"mc(EF f) = lfp(\<lambda>T. mc f \<union> M^-1 ^^ T)"
e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	44
9958 67f2920862c7 * empty log message * nipkow parents: diff changeset	45
10133 e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	46	text{*
e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	47	Only the equation for @{term EF} deserves a comment: the postfix @{text"^-1"}
e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	48	and the infix @{text"^^"} are predefined and denote the converse of a
e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	49	relation and the application of a relation to a set. Thus @{term "M^-1 ^^ T"}
e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	50	is the set of all predecessors of @{term T} and @{term"mc(EF f)"} is the least
e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	51	set @{term T} containing @{term"mc f"} and all predecessors of @{term T}.
e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	52	*}
e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	53
e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	54	lemma mono_lemma: "mono(\<lambda>T. A \<union> M^-1 ^^ T)"
9958 67f2920862c7 * empty log message * nipkow parents: diff changeset	55	apply(rule monoI);
67f2920862c7 * empty log message * nipkow parents: diff changeset	56	by(blast);
67f2920862c7 * empty log message * nipkow parents: diff changeset	57
67f2920862c7 * empty log message * nipkow parents: diff changeset	58	lemma lfp_conv_EF:
10133 e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	59	"lfp(\<lambda>T. A \<union> M^-1 ^^ T) = {s. \<exists>t. (s,t) \<in> M^* \<and> t \<in> A}";
9958 67f2920862c7 * empty log message * nipkow parents: diff changeset	60	apply(rule equalityI);
67f2920862c7 * empty log message * nipkow parents: diff changeset	61	apply(rule subsetI);
67f2920862c7 * empty log message * nipkow parents: diff changeset	62	apply(simp);
67f2920862c7 * empty log message * nipkow parents: diff changeset	63	apply(erule Lfp.induct);
67f2920862c7 * empty log message * nipkow parents: diff changeset	64	apply(rule mono_lemma);
67f2920862c7 * empty log message * nipkow parents: diff changeset	65	apply(simp);
67f2920862c7 * empty log message * nipkow parents: diff changeset	66	apply(blast intro: r_into_rtrancl rtrancl_trans);
67f2920862c7 * empty log message * nipkow parents: diff changeset	67	apply(rule subsetI);
67f2920862c7 * empty log message * nipkow parents: diff changeset	68	apply(simp);
67f2920862c7 * empty log message * nipkow parents: diff changeset	69	apply(erule exE);
67f2920862c7 * empty log message * nipkow parents: diff changeset	70	apply(erule conjE);
67f2920862c7 * empty log message * nipkow parents: diff changeset	71	apply(erule_tac P = "t\<in>A" in rev_mp);
67f2920862c7 * empty log message * nipkow parents: diff changeset	72	apply(erule converse_rtrancl_induct);
67f2920862c7 * empty log message * nipkow parents: diff changeset	73	apply(rule ssubst[OF lfp_Tarski[OF mono_lemma]]);
67f2920862c7 * empty log message * nipkow parents: diff changeset	74	apply(blast);
67f2920862c7 * empty log message * nipkow parents: diff changeset	75	apply(rule ssubst[OF lfp_Tarski[OF mono_lemma]]);
67f2920862c7 * empty log message * nipkow parents: diff changeset	76	by(blast);
67f2920862c7 * empty log message * nipkow parents: diff changeset	77
67f2920862c7 * empty log message * nipkow parents: diff changeset	78	theorem "mc f = {s. s \<Turnstile> f}";
67f2920862c7 * empty log message * nipkow parents: diff changeset	79	apply(induct_tac f);
67f2920862c7 * empty log message * nipkow parents: diff changeset	80	by(auto simp add:lfp_conv_EF);
10133 e187dacd248f * empty log message * nipkow parents: 10122 diff changeset	81	(<)end(>)

author	nipkow
	Tue, 03 Oct 2000 11:26:54 +0200
changeset 10133	e187dacd248f
parent 10122	194c7349b6c0
child 10149	7cfdf6a330a0
permissions	-rw-r--r--