5 \isamarkupsubsection{CTL Revisited% |
5 \isamarkupsubsection{CTL Revisited% |
6 } |
6 } |
7 % |
7 % |
8 \begin{isamarkuptext}% |
8 \begin{isamarkuptext}% |
9 \label{sec:CTL-revisited} |
9 \label{sec:CTL-revisited} |
10 The purpose of this section is twofold: we want to demonstrate |
10 \index{CTL|(}% |
11 some of the induction principles and heuristics discussed above and we want to |
11 The purpose of this section is twofold: to demonstrate |
|
12 some of the induction principles and heuristics discussed above and to |
12 show how inductive definitions can simplify proofs. |
13 show how inductive definitions can simplify proofs. |
13 In \S\ref{sec:CTL} we gave a fairly involved proof of the correctness of a |
14 In \S\ref{sec:CTL} we gave a fairly involved proof of the correctness of a |
14 model checker for CTL\@. In particular the proof of the |
15 model checker for CTL\@. In particular the proof of the |
15 \isa{infinity{\isacharunderscore}lemma} on the way to \isa{AF{\isacharunderscore}lemma{\isadigit{2}}} is not as |
16 \isa{infinity{\isacharunderscore}lemma} on the way to \isa{AF{\isacharunderscore}lemma{\isadigit{2}}} is not as |
16 simple as one might intuitively expect, due to the \isa{SOME} operator |
17 simple as one might expect, due to the \isa{SOME} operator |
17 involved. Below we give a simpler proof of \isa{AF{\isacharunderscore}lemma{\isadigit{2}}} |
18 involved. Below we give a simpler proof of \isa{AF{\isacharunderscore}lemma{\isadigit{2}}} |
18 based on an auxiliary inductive definition. |
19 based on an auxiliary inductive definition. |
19 |
20 |
20 Let us call a (finite or infinite) path \emph{\isa{A}-avoiding} if it does |
21 Let us call a (finite or infinite) path \emph{\isa{A}-avoiding} if it does |
21 not touch any node in the set \isa{A}. Then \isa{AF{\isacharunderscore}lemma{\isadigit{2}}} says |
22 not touch any node in the set \isa{A}. Then \isa{AF{\isacharunderscore}lemma{\isadigit{2}}} says |
48 \isacommand{apply}{\isacharparenleft}drule{\isacharunderscore}tac\ x\ {\isacharequal}\ {\isachardoublequote}{\isasymlambda}i{\isachardot}\ case\ i\ of\ {\isadigit{0}}\ {\isasymRightarrow}\ t\ {\isacharbar}\ Suc\ i\ {\isasymRightarrow}\ f\ i{\isachardoublequote}\ \isakeyword{in}\ bspec{\isacharparenright}\isanewline |
49 \isacommand{apply}{\isacharparenleft}drule{\isacharunderscore}tac\ x\ {\isacharequal}\ {\isachardoublequote}{\isasymlambda}i{\isachardot}\ case\ i\ of\ {\isadigit{0}}\ {\isasymRightarrow}\ t\ {\isacharbar}\ Suc\ i\ {\isasymRightarrow}\ f\ i{\isachardoublequote}\ \isakeyword{in}\ bspec{\isacharparenright}\isanewline |
49 \isacommand{apply}{\isacharparenleft}simp{\isacharunderscore}all\ add{\isacharcolon}Paths{\isacharunderscore}def\ split{\isacharcolon}nat{\isachardot}split{\isacharparenright}\isanewline |
50 \isacommand{apply}{\isacharparenleft}simp{\isacharunderscore}all\ add{\isacharcolon}Paths{\isacharunderscore}def\ split{\isacharcolon}nat{\isachardot}split{\isacharparenright}\isanewline |
50 \isacommand{done}% |
51 \isacommand{done}% |
51 \begin{isamarkuptext}% |
52 \begin{isamarkuptext}% |
52 \noindent |
53 \noindent |
53 The base case (\isa{t\ {\isacharequal}\ s}) is trivial (\isa{blast}). |
54 The base case (\isa{t\ {\isacharequal}\ s}) is trivial and proved by \isa{blast}. |
54 In the induction step, we have an infinite \isa{A}-avoiding path \isa{f} |
55 In the induction step, we have an infinite \isa{A}-avoiding path \isa{f} |
55 starting from \isa{u}, a successor of \isa{t}. Now we simply instantiate |
56 starting from \isa{u}, a successor of \isa{t}. Now we simply instantiate |
56 the \isa{{\isasymforall}f{\isasymin}Paths\ t} in the induction hypothesis by the path starting with |
57 the \isa{{\isasymforall}f{\isasymin}Paths\ t} in the induction hypothesis by the path starting with |
57 \isa{t} and continuing with \isa{f}. That is what the above $\lambda$-term |
58 \isa{t} and continuing with \isa{f}. That is what the above $\lambda$-term |
58 expresses. Simplification shows that this is a path starting with \isa{t} |
59 expresses. Simplification shows that this is a path starting with \isa{t} |
59 and that the instantiated induction hypothesis implies the conclusion. |
60 and that the instantiated induction hypothesis implies the conclusion. |
60 |
61 |
61 Now we come to the key lemma. Assuming that no infinite \isa{A}-avoiding |
62 Now we come to the key lemma. Assuming that no infinite \isa{A}-avoiding |
62 path starts from \isa{s}, we want to show \isa{s\ {\isasymin}\ lfp\ {\isacharparenleft}af\ A{\isacharparenright}}. For the |
63 path starts from \isa{s}, we want to show \isa{s\ {\isasymin}\ lfp\ {\isacharparenleft}af\ A{\isacharparenright}}. For the |
63 inductive proof this must be generalized to the statement that every point \isa{t} |
64 inductive proof this must be generalized to the statement that every point \isa{t} |
64 ``between'' \isa{s} and \isa{A}, i.e.\ all of \isa{Avoid\ s\ A}, |
65 ``between'' \isa{s} and \isa{A}, in other words all of \isa{Avoid\ s\ A}, |
65 is contained in \isa{lfp\ {\isacharparenleft}af\ A{\isacharparenright}}:% |
66 is contained in \isa{lfp\ {\isacharparenleft}af\ A{\isacharparenright}}:% |
66 \end{isamarkuptext}% |
67 \end{isamarkuptext}% |
67 \isacommand{lemma}\ Avoid{\isacharunderscore}in{\isacharunderscore}lfp{\isacharbrackleft}rule{\isacharunderscore}format{\isacharparenleft}no{\isacharunderscore}asm{\isacharparenright}{\isacharbrackright}{\isacharcolon}\isanewline |
68 \isacommand{lemma}\ Avoid{\isacharunderscore}in{\isacharunderscore}lfp{\isacharbrackleft}rule{\isacharunderscore}format{\isacharparenleft}no{\isacharunderscore}asm{\isacharparenright}{\isacharbrackright}{\isacharcolon}\isanewline |
68 \ \ {\isachardoublequote}{\isasymforall}p{\isasymin}Paths\ s{\isachardot}\ {\isasymexists}i{\isachardot}\ p\ i\ {\isasymin}\ A\ {\isasymLongrightarrow}\ t\ {\isasymin}\ Avoid\ s\ A\ {\isasymlongrightarrow}\ t\ {\isasymin}\ lfp{\isacharparenleft}af\ A{\isacharparenright}{\isachardoublequote}% |
69 \ \ {\isachardoublequote}{\isasymforall}p{\isasymin}Paths\ s{\isachardot}\ {\isasymexists}i{\isachardot}\ p\ i\ {\isasymin}\ A\ {\isasymLongrightarrow}\ t\ {\isasymin}\ Avoid\ s\ A\ {\isasymlongrightarrow}\ t\ {\isasymin}\ lfp{\isacharparenleft}af\ A{\isacharparenright}{\isachardoublequote}% |
69 \begin{isamarkuptxt}% |
70 \begin{isamarkuptxt}% |
73 trivial. If \isa{t} is not in \isa{A} but all successors are in |
74 trivial. If \isa{t} is not in \isa{A} but all successors are in |
74 \isa{lfp\ {\isacharparenleft}af\ A{\isacharparenright}} (induction hypothesis), then \isa{t\ {\isasymin}\ lfp\ {\isacharparenleft}af\ A{\isacharparenright}} is |
75 \isa{lfp\ {\isacharparenleft}af\ A{\isacharparenright}} (induction hypothesis), then \isa{t\ {\isasymin}\ lfp\ {\isacharparenleft}af\ A{\isacharparenright}} is |
75 again trivial. |
76 again trivial. |
76 |
77 |
77 The formal counterpart of this proof sketch is a well-founded induction |
78 The formal counterpart of this proof sketch is a well-founded induction |
78 w.r.t.\ \isa{M} restricted to (roughly speaking) \isa{Avoid\ s\ A\ {\isacharminus}\ A}: |
79 on~\isa{M} restricted to \isa{Avoid\ s\ A\ {\isacharminus}\ A}, roughly speaking: |
79 \begin{isabelle}% |
80 \begin{isabelle}% |
80 \ \ \ \ \ {\isacharbraceleft}{\isacharparenleft}y{\isacharcomma}\ x{\isacharparenright}{\isachardot}\ {\isacharparenleft}x{\isacharcomma}\ y{\isacharparenright}\ {\isasymin}\ M\ {\isasymand}\ x\ {\isasymin}\ Avoid\ s\ A\ {\isasymand}\ x\ {\isasymnotin}\ A{\isacharbraceright}% |
81 \ \ \ \ \ {\isacharbraceleft}{\isacharparenleft}y{\isacharcomma}\ x{\isacharparenright}{\isachardot}\ {\isacharparenleft}x{\isacharcomma}\ y{\isacharparenright}\ {\isasymin}\ M\ {\isasymand}\ x\ {\isasymin}\ Avoid\ s\ A\ {\isasymand}\ x\ {\isasymnotin}\ A{\isacharbraceright}% |
81 \end{isabelle} |
82 \end{isabelle} |
82 As we shall see presently, the absence of infinite \isa{A}-avoiding paths |
83 As we shall see presently, the absence of infinite \isa{A}-avoiding paths |
83 starting from \isa{s} implies well-foundedness of this relation. For the |
84 starting from \isa{s} implies well-foundedness of this relation. For the |
98 \end{isabelle} |
99 \end{isabelle} |
99 Now the induction hypothesis states that if \isa{t\ {\isasymnotin}\ A} |
100 Now the induction hypothesis states that if \isa{t\ {\isasymnotin}\ A} |
100 then all successors of \isa{t} that are in \isa{Avoid\ s\ A} are in |
101 then all successors of \isa{t} that are in \isa{Avoid\ s\ A} are in |
101 \isa{lfp\ {\isacharparenleft}af\ A{\isacharparenright}}. Unfolding \isa{lfp} in the conclusion of the first |
102 \isa{lfp\ {\isacharparenleft}af\ A{\isacharparenright}}. Unfolding \isa{lfp} in the conclusion of the first |
102 subgoal once, we have to prove that \isa{t} is in \isa{A} or all successors |
103 subgoal once, we have to prove that \isa{t} is in \isa{A} or all successors |
103 of \isa{t} are in \isa{lfp\ {\isacharparenleft}af\ A{\isacharparenright}}: if \isa{t} is not in \isa{A}, |
104 of \isa{t} are in \isa{lfp\ {\isacharparenleft}af\ A{\isacharparenright}}. But if \isa{t} is not in \isa{A}, |
104 the second |
105 the second |
105 \isa{Avoid}-rule implies that all successors of \isa{t} are in |
106 \isa{Avoid}-rule implies that all successors of \isa{t} are in |
106 \isa{Avoid\ s\ A} (because we also assume \isa{t\ {\isasymin}\ Avoid\ s\ A}), and |
107 \isa{Avoid\ s\ A}, because we also assume \isa{t\ {\isasymin}\ Avoid\ s\ A}. |
107 hence, by the induction hypothesis, all successors of \isa{t} are indeed in |
108 Hence, by the induction hypothesis, all successors of \isa{t} are indeed in |
108 \isa{lfp\ {\isacharparenleft}af\ A{\isacharparenright}}. Mechanically:% |
109 \isa{lfp\ {\isacharparenleft}af\ A{\isacharparenright}}. Mechanically:% |
109 \end{isamarkuptxt}% |
110 \end{isamarkuptxt}% |
110 \ \isacommand{apply}{\isacharparenleft}subst\ lfp{\isacharunderscore}unfold{\isacharbrackleft}OF\ mono{\isacharunderscore}af{\isacharbrackright}{\isacharparenright}\isanewline |
111 \ \isacommand{apply}{\isacharparenleft}subst\ lfp{\isacharunderscore}unfold{\isacharbrackleft}OF\ mono{\isacharunderscore}af{\isacharbrackright}{\isacharparenright}\isanewline |
111 \ \isacommand{apply}{\isacharparenleft}simp\ {\isacharparenleft}no{\isacharunderscore}asm{\isacharparenright}\ add{\isacharcolon}\ af{\isacharunderscore}def{\isacharparenright}\isanewline |
112 \ \isacommand{apply}{\isacharparenleft}simp\ {\isacharparenleft}no{\isacharunderscore}asm{\isacharparenright}\ add{\isacharcolon}\ af{\isacharunderscore}def{\isacharparenright}\isanewline |
112 \ \isacommand{apply}{\isacharparenleft}blast\ intro{\isacharcolon}Avoid{\isachardot}intros{\isacharparenright}% |
113 \ \isacommand{apply}{\isacharparenleft}blast\ intro{\isacharcolon}Avoid{\isachardot}intros{\isacharparenright}% |
113 \begin{isamarkuptxt}% |
114 \begin{isamarkuptxt}% |
114 Having proved the main goal we return to the proof obligation that the above |
115 Having proved the main goal, we return to the proof obligation that the |
115 relation is indeed well-founded. This is proved by contradiction: if |
116 relation used above is indeed well-founded. This is proved by contradiction: if |
116 the relation is not well-founded then there exists an infinite \isa{A}-avoiding path all in \isa{Avoid\ s\ A}, by theorem |
117 the relation is not well-founded then there exists an infinite \isa{A}-avoiding path all in \isa{Avoid\ s\ A}, by theorem |
117 \isa{wf{\isacharunderscore}iff{\isacharunderscore}no{\isacharunderscore}infinite{\isacharunderscore}down{\isacharunderscore}chain}: |
118 \isa{wf{\isacharunderscore}iff{\isacharunderscore}no{\isacharunderscore}infinite{\isacharunderscore}down{\isacharunderscore}chain}: |
118 \begin{isabelle}% |
119 \begin{isabelle}% |
119 \ \ \ \ \ wf\ r\ {\isacharequal}\ {\isacharparenleft}{\isasymnot}\ {\isacharparenleft}{\isasymexists}f{\isachardot}\ {\isasymforall}i{\isachardot}\ {\isacharparenleft}f\ {\isacharparenleft}Suc\ i{\isacharparenright}{\isacharcomma}\ f\ i{\isacharparenright}\ {\isasymin}\ r{\isacharparenright}{\isacharparenright}% |
120 \ \ \ \ \ wf\ r\ {\isacharequal}\ {\isacharparenleft}{\isasymnot}\ {\isacharparenleft}{\isasymexists}f{\isachardot}\ {\isasymforall}i{\isachardot}\ {\isacharparenleft}f\ {\isacharparenleft}Suc\ i{\isacharparenright}{\isacharcomma}\ f\ i{\isacharparenright}\ {\isasymin}\ r{\isacharparenright}{\isacharparenright}% |
120 \end{isabelle} |
121 \end{isabelle} |
128 \isacommand{apply}{\isacharparenleft}auto\ simp\ add{\isacharcolon}Paths{\isacharunderscore}def{\isacharparenright}\isanewline |
129 \isacommand{apply}{\isacharparenleft}auto\ simp\ add{\isacharcolon}Paths{\isacharunderscore}def{\isacharparenright}\isanewline |
129 \isacommand{done}% |
130 \isacommand{done}% |
130 \begin{isamarkuptext}% |
131 \begin{isamarkuptext}% |
131 The \isa{{\isacharparenleft}no{\isacharunderscore}asm{\isacharparenright}} modifier of the \isa{rule{\isacharunderscore}format} directive in the |
132 The \isa{{\isacharparenleft}no{\isacharunderscore}asm{\isacharparenright}} modifier of the \isa{rule{\isacharunderscore}format} directive in the |
132 statement of the lemma means |
133 statement of the lemma means |
133 that the assumption is left unchanged --- otherwise the \isa{{\isasymforall}p} is turned |
134 that the assumption is left unchanged; otherwise the \isa{{\isasymforall}p} |
|
135 would be turned |
134 into a \isa{{\isasymAnd}p}, which would complicate matters below. As it is, |
136 into a \isa{{\isasymAnd}p}, which would complicate matters below. As it is, |
135 \isa{Avoid{\isacharunderscore}in{\isacharunderscore}lfp} is now |
137 \isa{Avoid{\isacharunderscore}in{\isacharunderscore}lfp} is now |
136 \begin{isabelle}% |
138 \begin{isabelle}% |
137 \ \ \ \ \ {\isasymlbrakk}{\isasymforall}p{\isasymin}Paths\ s{\isachardot}\ {\isasymexists}i{\isachardot}\ p\ i\ {\isasymin}\ A{\isacharsemicolon}\ t\ {\isasymin}\ Avoid\ s\ A{\isasymrbrakk}\ {\isasymLongrightarrow}\ t\ {\isasymin}\ lfp\ {\isacharparenleft}af\ A{\isacharparenright}% |
139 \ \ \ \ \ {\isasymlbrakk}{\isasymforall}p{\isasymin}Paths\ s{\isachardot}\ {\isasymexists}i{\isachardot}\ p\ i\ {\isasymin}\ A{\isacharsemicolon}\ t\ {\isasymin}\ Avoid\ s\ A{\isasymrbrakk}\ {\isasymLongrightarrow}\ t\ {\isasymin}\ lfp\ {\isacharparenleft}af\ A{\isacharparenright}% |
138 \end{isabelle} |
140 \end{isabelle} |
139 The main theorem is simply the corollary where \isa{t\ {\isacharequal}\ s}, |
141 The main theorem is simply the corollary where \isa{t\ {\isacharequal}\ s}, |
140 in which case the assumption \isa{t\ {\isasymin}\ Avoid\ s\ A} is trivially true |
142 when the assumption \isa{t\ {\isasymin}\ Avoid\ s\ A} is trivially true |
141 by the first \isa{Avoid}-rule. Isabelle confirms this:% |
143 by the first \isa{Avoid}-rule. Isabelle confirms this:% |
|
144 \index{CTL|)}% |
142 \end{isamarkuptext}% |
145 \end{isamarkuptext}% |
143 \isacommand{theorem}\ AF{\isacharunderscore}lemma{\isadigit{2}}{\isacharcolon}\ \ {\isachardoublequote}{\isacharbraceleft}s{\isachardot}\ {\isasymforall}p\ {\isasymin}\ Paths\ s{\isachardot}\ {\isasymexists}\ i{\isachardot}\ p\ i\ {\isasymin}\ A{\isacharbraceright}\ {\isasymsubseteq}\ lfp{\isacharparenleft}af\ A{\isacharparenright}{\isachardoublequote}\isanewline |
146 \isacommand{theorem}\ AF{\isacharunderscore}lemma{\isadigit{2}}{\isacharcolon}\ \ {\isachardoublequote}{\isacharbraceleft}s{\isachardot}\ {\isasymforall}p\ {\isasymin}\ Paths\ s{\isachardot}\ {\isasymexists}\ i{\isachardot}\ p\ i\ {\isasymin}\ A{\isacharbraceright}\ {\isasymsubseteq}\ lfp{\isacharparenleft}af\ A{\isacharparenright}{\isachardoublequote}\isanewline |
144 \isacommand{by}{\isacharparenleft}auto\ elim{\isacharcolon}Avoid{\isacharunderscore}in{\isacharunderscore}lfp\ intro{\isacharcolon}Avoid{\isachardot}intros{\isacharparenright}\isanewline |
147 \isacommand{by}{\isacharparenleft}auto\ elim{\isacharcolon}Avoid{\isacharunderscore}in{\isacharunderscore}lfp\ intro{\isacharcolon}Avoid{\isachardot}intros{\isacharparenright}\isanewline |
145 \isanewline |
148 \isanewline |
146 \end{isabellebody}% |
149 \end{isabellebody}% |