7 theory CTL |
7 theory CTL |
8 imports Main |
8 imports Main |
9 begin |
9 begin |
10 |
10 |
11 text \<open> |
11 text \<open> |
12 We formalize basic concepts of Computational Tree Logic (CTL) |
12 We formalize basic concepts of Computational Tree Logic (CTL) @{cite |
13 @{cite "McMillan-PhDThesis" and "McMillan-LectureNotes"} within the |
13 "McMillan-PhDThesis" and "McMillan-LectureNotes"} within the simply-typed |
14 simply-typed set theory of HOL. |
14 set theory of HOL. |
15 |
15 |
16 By using the common technique of ``shallow embedding'', a CTL |
16 By using the common technique of ``shallow embedding'', a CTL formula is |
17 formula is identified with the corresponding set of states where it |
17 identified with the corresponding set of states where it holds. |
18 holds. Consequently, CTL operations such as negation, conjunction, |
18 Consequently, CTL operations such as negation, conjunction, disjunction |
19 disjunction simply become complement, intersection, union of sets. |
19 simply become complement, intersection, union of sets. We only require a |
20 We only require a separate operation for implication, as point-wise |
20 separate operation for implication, as point-wise inclusion is usually not |
21 inclusion is usually not encountered in plain set-theory. |
21 encountered in plain set-theory. |
22 \<close> |
22 \<close> |
23 |
23 |
24 lemmas [intro!] = Int_greatest Un_upper2 Un_upper1 Int_lower1 Int_lower2 |
24 lemmas [intro!] = Int_greatest Un_upper2 Un_upper1 Int_lower1 Int_lower2 |
25 |
25 |
26 type_synonym 'a ctl = "'a set" |
26 type_synonym 'a ctl = "'a set" |
32 lemma [intro!]: "p \<inter> p \<rightarrow> q \<subseteq> q" unfolding imp_def by auto |
32 lemma [intro!]: "p \<inter> p \<rightarrow> q \<subseteq> q" unfolding imp_def by auto |
33 lemma [intro!]: "p \<subseteq> (q \<rightarrow> p)" unfolding imp_def by rule |
33 lemma [intro!]: "p \<subseteq> (q \<rightarrow> p)" unfolding imp_def by rule |
34 |
34 |
35 |
35 |
36 text \<open> |
36 text \<open> |
37 \smallskip The CTL path operators are more interesting; they are |
37 \<^smallskip> |
38 based on an arbitrary, but fixed model \<open>\<M>\<close>, which is simply |
38 The CTL path operators are more interesting; they are based on an arbitrary, |
39 a transition relation over states @{typ "'a"}. |
39 but fixed model \<open>\<M>\<close>, which is simply a transition relation over states |
|
40 @{typ 'a}. |
40 \<close> |
41 \<close> |
41 |
42 |
42 axiomatization \<M> :: "('a \<times> 'a) set" |
43 axiomatization \<M> :: "('a \<times> 'a) set" |
43 |
44 |
44 text \<open> |
45 text \<open> |
45 The operators \<open>\<EX>\<close>, \<open>\<EF>\<close>, \<open>\<EG>\<close> are taken |
46 The operators \<open>\<EX>\<close>, \<open>\<EF>\<close>, \<open>\<EG>\<close> are taken as primitives, while |
46 as primitives, while \<open>\<AX>\<close>, \<open>\<AF>\<close>, \<open>\<AG>\<close> are |
47 \<open>\<AX>\<close>, \<open>\<AF>\<close>, \<open>\<AG>\<close> are defined as derived ones. The formula \<open>\<EX> p\<close> |
47 defined as derived ones. The formula \<open>\<EX> p\<close> holds in a |
48 holds in a state @{term s}, iff there is a successor state @{term s'} (with |
48 state @{term s}, iff there is a successor state @{term s'} (with |
49 respect to the model @{term \<M>}), such that @{term p} holds in @{term s'}. |
49 respect to the model @{term \<M>}), such that @{term p} holds in |
50 The formula \<open>\<EF> p\<close> holds in a state @{term s}, iff there is a path in |
50 @{term s'}. The formula \<open>\<EF> p\<close> holds in a state @{term |
51 \<open>\<M>\<close>, starting from @{term s}, such that there exists a state @{term s'} on |
51 s}, iff there is a path in \<open>\<M>\<close>, starting from @{term s}, |
52 the path, such that @{term p} holds in @{term s'}. The formula \<open>\<EG> p\<close> |
52 such that there exists a state @{term s'} on the path, such that |
53 holds in a state @{term s}, iff there is a path, starting from @{term s}, |
53 @{term p} holds in @{term s'}. The formula \<open>\<EG> p\<close> holds |
54 such that for all states @{term s'} on the path, @{term p} holds in @{term |
54 in a state @{term s}, iff there is a path, starting from @{term s}, |
55 s'}. It is easy to see that \<open>\<EF> p\<close> and \<open>\<EG> p\<close> may be expressed using |
55 such that for all states @{term s'} on the path, @{term p} holds in |
56 least and greatest fixed points @{cite "McMillan-PhDThesis"}. |
56 @{term s'}. It is easy to see that \<open>\<EF> p\<close> and \<open>\<EG> p\<close> may be expressed using least and greatest fixed points |
57 \<close> |
57 @{cite "McMillan-PhDThesis"}. |
58 |
58 \<close> |
59 definition EX ("\<EX> _" [80] 90) |
59 |
60 where [simp]: "\<EX> p = {s. \<exists>s'. (s, s') \<in> \<M> \<and> s' \<in> p}" |
60 definition |
61 definition EF ("\<EF> _" [80] 90) |
61 EX ("\<EX> _" [80] 90) where "\<EX> p = {s. \<exists>s'. (s, s') \<in> \<M> \<and> s' \<in> p}" |
62 where [simp]: "\<EF> p = lfp (\<lambda>s. p \<union> \<EX> s)" |
62 definition |
63 definition EG ("\<EG> _" [80] 90) |
63 EF ("\<EF> _" [80] 90) where "\<EF> p = lfp (\<lambda>s. p \<union> \<EX> s)" |
64 where [simp]: "\<EG> p = gfp (\<lambda>s. p \<inter> \<EX> s)" |
64 definition |
65 |
65 EG ("\<EG> _" [80] 90) where "\<EG> p = gfp (\<lambda>s. p \<inter> \<EX> s)" |
66 text \<open> |
66 |
67 \<open>\<AX>\<close>, \<open>\<AF>\<close> and \<open>\<AG>\<close> are now defined dually in terms of \<open>\<EX>\<close>, |
67 text \<open> |
68 \<open>\<EF>\<close> and \<open>\<EG>\<close>. |
68 \<open>\<AX>\<close>, \<open>\<AF>\<close> and \<open>\<AG>\<close> are now defined |
69 \<close> |
69 dually in terms of \<open>\<EX>\<close>, \<open>\<EF>\<close> and \<open>\<EG>\<close>. |
70 |
70 \<close> |
71 definition AX ("\<AX> _" [80] 90) |
71 |
72 where [simp]: "\<AX> p = - \<EX> - p" |
72 definition |
73 definition AF ("\<AF> _" [80] 90) |
73 AX ("\<AX> _" [80] 90) where "\<AX> p = - \<EX> - p" |
74 where [simp]: "\<AF> p = - \<EG> - p" |
74 definition |
75 definition AG ("\<AG> _" [80] 90) |
75 AF ("\<AF> _" [80] 90) where "\<AF> p = - \<EG> - p" |
76 where [simp]: "\<AG> p = - \<EF> - p" |
76 definition |
|
77 AG ("\<AG> _" [80] 90) where "\<AG> p = - \<EF> - p" |
|
78 |
|
79 lemmas [simp] = EX_def EG_def AX_def EF_def AF_def AG_def |
|
80 |
77 |
81 |
78 |
82 subsection \<open>Basic fixed point properties\<close> |
79 subsection \<open>Basic fixed point properties\<close> |
83 |
80 |
84 text \<open> |
81 text \<open> |
85 First of all, we use the de-Morgan property of fixed points |
82 First of all, we use the de-Morgan property of fixed points. |
86 \<close> |
83 \<close> |
87 |
84 |
88 lemma lfp_gfp: "lfp f = - gfp (\<lambda>s::'a set. - (f (- s)))" |
85 lemma lfp_gfp: "lfp f = - gfp (\<lambda>s::'a set. - (f (- s)))" |
89 proof |
86 proof |
90 show "lfp f \<subseteq> - gfp (\<lambda>s. - f (- s))" |
87 show "lfp f \<subseteq> - gfp (\<lambda>s. - f (- s))" |
116 |
113 |
117 lemma gfp_lfp': "- gfp f = lfp (\<lambda>s::'a set. - (f (- s)))" |
114 lemma gfp_lfp': "- gfp f = lfp (\<lambda>s::'a set. - (f (- s)))" |
118 by (simp add: lfp_gfp) |
115 by (simp add: lfp_gfp) |
119 |
116 |
120 text \<open> |
117 text \<open> |
121 in order to give dual fixed point representations of @{term "AF p"} |
118 In order to give dual fixed point representations of @{term "\<AF> p"} and |
122 and @{term "AG p"}: |
119 @{term "\<AG> p"}: |
123 \<close> |
120 \<close> |
124 |
121 |
125 lemma AF_lfp: "\<AF> p = lfp (\<lambda>s. p \<union> \<AX> s)" by (simp add: lfp_gfp) |
122 lemma AF_lfp: "\<AF> p = lfp (\<lambda>s. p \<union> \<AX> s)" |
126 lemma AG_gfp: "\<AG> p = gfp (\<lambda>s. p \<inter> \<AX> s)" by (simp add: lfp_gfp) |
123 by (simp add: lfp_gfp) |
|
124 lemma AG_gfp: "\<AG> p = gfp (\<lambda>s. p \<inter> \<AX> s)" |
|
125 by (simp add: lfp_gfp) |
127 |
126 |
128 lemma EF_fp: "\<EF> p = p \<union> \<EX> \<EF> p" |
127 lemma EF_fp: "\<EF> p = p \<union> \<EX> \<EF> p" |
129 proof - |
128 proof - |
130 have "mono (\<lambda>s. p \<union> \<EX> s)" by rule auto |
129 have "mono (\<lambda>s. p \<union> \<EX> s)" by rule auto |
131 then show ?thesis by (simp only: EF_def) (rule lfp_unfold) |
130 then show ?thesis by (simp only: EF_def) (rule lfp_unfold) |
142 have "mono (\<lambda>s. p \<inter> \<EX> s)" by rule auto |
141 have "mono (\<lambda>s. p \<inter> \<EX> s)" by rule auto |
143 then show ?thesis by (simp only: EG_def) (rule gfp_unfold) |
142 then show ?thesis by (simp only: EG_def) (rule gfp_unfold) |
144 qed |
143 qed |
145 |
144 |
146 text \<open> |
145 text \<open> |
147 From the greatest fixed point definition of @{term "\<AG> p"}, we |
146 From the greatest fixed point definition of @{term "\<AG> p"}, we derive as |
148 derive as a consequence of the Knaster-Tarski theorem on the one |
147 a consequence of the Knaster-Tarski theorem on the one hand that @{term |
149 hand that @{term "\<AG> p"} is a fixed point of the monotonic |
148 "\<AG> p"} is a fixed point of the monotonic function |
150 function @{term "\<lambda>s. p \<inter> \<AX> s"}. |
149 @{term "\<lambda>s. p \<inter> \<AX> s"}. |
151 \<close> |
150 \<close> |
152 |
151 |
153 lemma AG_fp: "\<AG> p = p \<inter> \<AX> \<AG> p" |
152 lemma AG_fp: "\<AG> p = p \<inter> \<AX> \<AG> p" |
154 proof - |
153 proof - |
155 have "mono (\<lambda>s. p \<inter> \<AX> s)" by rule auto |
154 have "mono (\<lambda>s. p \<inter> \<AX> s)" by rule auto |
156 then show ?thesis by (simp only: AG_gfp) (rule gfp_unfold) |
155 then show ?thesis by (simp only: AG_gfp) (rule gfp_unfold) |
157 qed |
156 qed |
158 |
157 |
159 text \<open> |
158 text \<open> |
160 This fact may be split up into two inequalities (merely using |
159 This fact may be split up into two inequalities (merely using transitivity |
161 transitivity of \<open>\<subseteq>\<close>, which is an instance of the overloaded |
160 of \<open>\<subseteq>\<close>, which is an instance of the overloaded \<open>\<le>\<close> in Isabelle/HOL). |
162 \<open>\<le>\<close> in Isabelle/HOL). |
|
163 \<close> |
161 \<close> |
164 |
162 |
165 lemma AG_fp_1: "\<AG> p \<subseteq> p" |
163 lemma AG_fp_1: "\<AG> p \<subseteq> p" |
166 proof - |
164 proof - |
167 note AG_fp also have "p \<inter> \<AX> \<AG> p \<subseteq> p" by auto |
165 note AG_fp also have "p \<inter> \<AX> \<AG> p \<subseteq> p" by auto |
173 note AG_fp also have "p \<inter> \<AX> \<AG> p \<subseteq> \<AX> \<AG> p" by auto |
171 note AG_fp also have "p \<inter> \<AX> \<AG> p \<subseteq> \<AX> \<AG> p" by auto |
174 finally show ?thesis . |
172 finally show ?thesis . |
175 qed |
173 qed |
176 |
174 |
177 text \<open> |
175 text \<open> |
178 On the other hand, we have from the Knaster-Tarski fixed point |
176 On the other hand, we have from the Knaster-Tarski fixed point theorem that |
179 theorem that any other post-fixed point of @{term "\<lambda>s. p \<inter> AX s"} is |
177 any other post-fixed point of @{term "\<lambda>s. p \<inter> \<AX> s"} is smaller than |
180 smaller than @{term "AG p"}. A post-fixed point is a set of states |
178 @{term "\<AG> p"}. A post-fixed point is a set of states @{term q} such that |
181 @{term q} such that @{term "q \<subseteq> p \<inter> AX q"}. This leads to the |
179 @{term "q \<subseteq> p \<inter> \<AX> q"}. This leads to the following co-induction |
182 following co-induction principle for @{term "AG p"}. |
180 principle for @{term "\<AG> p"}. |
183 \<close> |
181 \<close> |
184 |
182 |
185 lemma AG_I: "q \<subseteq> p \<inter> \<AX> q \<Longrightarrow> q \<subseteq> \<AG> p" |
183 lemma AG_I: "q \<subseteq> p \<inter> \<AX> q \<Longrightarrow> q \<subseteq> \<AG> p" |
186 by (simp only: AG_gfp) (rule gfp_upperbound) |
184 by (simp only: AG_gfp) (rule gfp_upperbound) |
187 |
185 |
188 |
186 |
189 subsection \<open>The tree induction principle \label{sec:calc-ctl-tree-induct}\<close> |
187 subsection \<open>The tree induction principle \label{sec:calc-ctl-tree-induct}\<close> |
190 |
188 |
191 text \<open> |
189 text \<open> |
192 With the most basic facts available, we are now able to establish a |
190 With the most basic facts available, we are now able to establish a few more |
193 few more interesting results, leading to the \emph{tree induction} |
191 interesting results, leading to the \<^emph>\<open>tree induction\<close> principle for \<open>\<AG>\<close> |
194 principle for \<open>AG\<close> (see below). We will use some elementary |
192 (see below). We will use some elementary monotonicity and distributivity |
195 monotonicity and distributivity rules. |
193 rules. |
196 \<close> |
194 \<close> |
197 |
195 |
198 lemma AX_int: "\<AX> (p \<inter> q) = \<AX> p \<inter> \<AX> q" by auto |
196 lemma AX_int: "\<AX> (p \<inter> q) = \<AX> p \<inter> \<AX> q" by auto |
199 lemma AX_mono: "p \<subseteq> q \<Longrightarrow> \<AX> p \<subseteq> \<AX> q" by auto |
197 lemma AX_mono: "p \<subseteq> q \<Longrightarrow> \<AX> p \<subseteq> \<AX> q" by auto |
200 lemma AG_mono: "p \<subseteq> q \<Longrightarrow> \<AG> p \<subseteq> \<AG> q" |
198 lemma AG_mono: "p \<subseteq> q \<Longrightarrow> \<AG> p \<subseteq> \<AG> q" |
201 by (simp only: AG_gfp, rule gfp_mono) auto |
199 by (simp only: AG_gfp, rule gfp_mono) auto |
202 |
200 |
203 text \<open> |
201 text \<open> |
204 The formula @{term "AG p"} implies @{term "AX p"} (we use |
202 The formula @{term "AG p"} implies @{term "AX p"} (we use substitution of |
205 substitution of \<open>\<subseteq>\<close> with monotonicity). |
203 \<open>\<subseteq>\<close> with monotonicity). |
206 \<close> |
204 \<close> |
207 |
205 |
208 lemma AG_AX: "\<AG> p \<subseteq> \<AX> p" |
206 lemma AG_AX: "\<AG> p \<subseteq> \<AX> p" |
209 proof - |
207 proof - |
210 have "\<AG> p \<subseteq> \<AX> \<AG> p" by (rule AG_fp_2) |
208 have "\<AG> p \<subseteq> \<AX> \<AG> p" by (rule AG_fp_2) |
211 also have "\<AG> p \<subseteq> p" by (rule AG_fp_1) moreover note AX_mono |
209 also have "\<AG> p \<subseteq> p" by (rule AG_fp_1) |
|
210 moreover note AX_mono |
212 finally show ?thesis . |
211 finally show ?thesis . |
213 qed |
212 qed |
214 |
213 |
215 text \<open> |
214 text \<open> |
216 Furthermore we show idempotency of the \<open>\<AG>\<close> operator. |
215 Furthermore we show idempotency of the \<open>\<AG>\<close> operator. The proof is a good |
217 The proof is a good example of how accumulated facts may get |
216 example of how accumulated facts may get used to feed a single rule step. |
218 used to feed a single rule step. |
|
219 \<close> |
217 \<close> |
220 |
218 |
221 lemma AG_AG: "\<AG> \<AG> p = \<AG> p" |
219 lemma AG_AG: "\<AG> \<AG> p = \<AG> p" |
222 proof |
220 proof |
223 show "\<AG> \<AG> p \<subseteq> \<AG> p" by (rule AG_fp_1) |
221 show "\<AG> \<AG> p \<subseteq> \<AG> p" by (rule AG_fp_1) |
229 ultimately show "\<AG> p \<subseteq> \<AG> p \<inter> \<AX> \<AG> p" .. |
227 ultimately show "\<AG> p \<subseteq> \<AG> p \<inter> \<AX> \<AG> p" .. |
230 qed |
228 qed |
231 qed |
229 qed |
232 |
230 |
233 text \<open> |
231 text \<open> |
234 \smallskip We now give an alternative characterization of the \<open>\<AG>\<close> operator, which describes the \<open>\<AG>\<close> operator in |
232 \<^smallskip> |
235 an ``operational'' way by tree induction: In a state holds @{term |
233 We now give an alternative characterization of the \<open>\<AG>\<close> operator, which |
236 "AG p"} iff in that state holds @{term p}, and in all reachable |
234 describes the \<open>\<AG>\<close> operator in an ``operational'' way by tree induction: |
237 states @{term s} follows from the fact that @{term p} holds in |
235 In a state holds @{term "AG p"} iff in that state holds @{term p}, and in |
238 @{term s}, that @{term p} also holds in all successor states of |
236 all reachable states @{term s} follows from the fact that @{term p} holds in |
239 @{term s}. We use the co-induction principle @{thm [source] AG_I} |
237 @{term s}, that @{term p} also holds in all successor states of @{term s}. |
240 to establish this in a purely algebraic manner. |
238 We use the co-induction principle @{thm [source] AG_I} to establish this in |
|
239 a purely algebraic manner. |
241 \<close> |
240 \<close> |
242 |
241 |
243 theorem AG_induct: "p \<inter> \<AG> (p \<rightarrow> \<AX> p) = \<AG> p" |
242 theorem AG_induct: "p \<inter> \<AG> (p \<rightarrow> \<AX> p) = \<AG> p" |
244 proof |
243 proof |
245 show "p \<inter> \<AG> (p \<rightarrow> \<AX> p) \<subseteq> \<AG> p" (is "?lhs \<subseteq> _") |
244 show "p \<inter> \<AG> (p \<rightarrow> \<AX> p) \<subseteq> \<AG> p" (is "?lhs \<subseteq> _") |