89 apply(simp); |
89 apply(simp); |
90 apply(blast intro: r_into_rtrancl rtrancl_trans); |
90 apply(blast intro: r_into_rtrancl rtrancl_trans); |
91 apply(rule subsetI); |
91 apply(rule subsetI); |
92 apply(simp, clarify); |
92 apply(simp, clarify); |
93 apply(erule converse_rtrancl_induct); |
93 apply(erule converse_rtrancl_induct); |
94 apply(rule ssubst[OF lfp_Tarski[OF mono_ef]]); |
94 apply(rule ssubst[OF lfp_unfold[OF mono_ef]]); |
95 apply(blast); |
95 apply(blast); |
96 apply(rule ssubst[OF lfp_Tarski[OF mono_ef]]); |
96 apply(rule ssubst[OF lfp_unfold[OF mono_ef]]); |
97 by(blast); |
97 by(blast); |
98 (*>*) |
98 (*>*) |
99 text{* |
99 text{* |
100 All we need to prove now is that @{term mc} and @{text"\<Turnstile>"} |
100 All we need to prove now is that @{term mc} and @{text"\<Turnstile>"} |
101 agree for @{term AF}, i.e.\ that @{prop"mc(AF f) = {s. s \<Turnstile> |
101 agree for @{term AF}, i.e.\ that @{prop"mc(AF f) = {s. s \<Turnstile> |
172 *}; |
172 *}; |
173 |
173 |
174 lemma not_in_lfp_afD: |
174 lemma not_in_lfp_afD: |
175 "s \<notin> lfp(af A) \<Longrightarrow> s \<notin> A \<and> (\<exists> t. (s,t)\<in>M \<and> t \<notin> lfp(af A))"; |
175 "s \<notin> lfp(af A) \<Longrightarrow> s \<notin> A \<and> (\<exists> t. (s,t)\<in>M \<and> t \<notin> lfp(af A))"; |
176 apply(erule swap); |
176 apply(erule swap); |
177 apply(rule ssubst[OF lfp_Tarski[OF mono_af]]); |
177 apply(rule ssubst[OF lfp_unfold[OF mono_af]]); |
178 apply(simp add:af_def); |
178 apply(simp add:af_def); |
179 done; |
179 done; |
180 |
180 |
181 text{*\noindent |
181 text{*\noindent |
182 is proved by a variant of contraposition (@{thm[source]swap}: |
182 is proved by a variant of contraposition (@{thm[source]swap}: |
378 Extend the datatype of formulae by the binary until operator @{term"EU f g"} with semantics |
378 Extend the datatype of formulae by the binary until operator @{term"EU f g"} with semantics |
379 ``there exist a path where @{term f} is true until @{term g} becomes true'' |
379 ``there exist a path where @{term f} is true until @{term g} becomes true'' |
380 @{text[display]"s \<Turnstile> EU f g = (\<exists>p\<in>Paths s. \<exists>j. p j \<Turnstile> g \<and> (\<exists>i < j. p i \<Turnstile> f))"} |
380 @{text[display]"s \<Turnstile> EU f g = (\<exists>p\<in>Paths s. \<exists>j. p j \<Turnstile> g \<and> (\<exists>i < j. p i \<Turnstile> f))"} |
381 and model checking algorithm |
381 and model checking algorithm |
382 @{text[display]"mc(EU f g) = lfp(\<lambda>T. mc g \<union> mc f \<inter> (M^-1 ^^ T))"} |
382 @{text[display]"mc(EU f g) = lfp(\<lambda>T. mc g \<union> mc f \<inter> (M^-1 ^^ T))"} |
383 Prove the equivalence between semantics and model checking, i.e.\ |
383 Prove the equivalence between semantics and model checking, i.e.\ that |
384 @{prop"mc(EU f g) = {s. s \<Turnstile> EU f g}"}. |
384 @{prop[display]"mc(EU f g) = {s. s \<Turnstile> EU f g}"} |
385 |
385 %For readability you may want to annotate {term EU} with its customary syntax |
386 For readability you may want to equip @{term EU} with the following customary syntax: |
386 %{text[display]"| EU formula formula E[_ U _]"} |
387 @{text"E[f U g]"}. |
387 %which enables you to read and write {text"E[f U g]"} instead of {term"EU f g"}. |
388 \end{exercise} |
388 \end{exercise} |
389 |
389 For more CTL exercises see, for example \cite{Huth-Ryan-book,Clarke-as-well?}. |
390 Let us close this section with a few words about the executability of @{term mc}. |
390 \bigskip |
|
391 |
|
392 Let us close this section with a few words about the executability of our model checkers. |
391 It is clear that if all sets are finite, they can be represented as lists and the usual |
393 It is clear that if all sets are finite, they can be represented as lists and the usual |
392 set operations are easily implemented. Only @{term lfp} requires a little thought. |
394 set operations are easily implemented. Only @{term lfp} requires a little thought. |
393 Fortunately the HOL library proves that in the case of finite sets and a monotone @{term F}, |
395 Fortunately the HOL library proves that in the case of finite sets and a monotone @{term F}, |
394 @{term"lfp F"} can be computed by iterated application of @{term F} to @{term"{}"} until |
396 @{term"lfp F"} can be computed by iterated application of @{term F} to @{term"{}"} until |
395 a fixpoint is reached. It is possible to generate executable functional programs |
397 a fixpoint is reached. It is actually possible to generate executable functional programs |
396 from HOL definitions, but that is beyond the scope of the tutorial. |
398 from HOL definitions, but that is beyond the scope of the tutorial. |
397 *} |
399 *} |
398 |
400 |
399 (*<*) |
401 (*<*) |
400 (* |
402 (* |
426 lemma Avoid_in_lfp[rule_format(no_asm)]: |
428 lemma Avoid_in_lfp[rule_format(no_asm)]: |
427 "\<forall>p\<in>Paths s. \<exists>i. p i \<in> A \<Longrightarrow> t \<in> Avoid s A \<longrightarrow> t \<in> lfp(af A)"; |
429 "\<forall>p\<in>Paths s. \<exists>i. p i \<in> A \<Longrightarrow> t \<in> Avoid s A \<longrightarrow> t \<in> lfp(af A)"; |
428 apply(subgoal_tac "wf{(y,x). (x,y)\<in>M \<and> x \<in> Avoid s A \<and> y \<in> Avoid s A \<and> x \<notin> A}"); |
430 apply(subgoal_tac "wf{(y,x). (x,y)\<in>M \<and> x \<in> Avoid s A \<and> y \<in> Avoid s A \<and> x \<notin> A}"); |
429 apply(erule_tac a = t in wf_induct); |
431 apply(erule_tac a = t in wf_induct); |
430 apply(clarsimp); |
432 apply(clarsimp); |
431 apply(rule ssubst [OF lfp_Tarski[OF mono_af]]); |
433 apply(rule ssubst [OF lfp_unfold[OF mono_af]]); |
432 apply(unfold af_def); |
434 apply(unfold af_def); |
433 apply(blast intro:Avoid.intros); |
435 apply(blast intro:Avoid.intros); |
434 apply(erule contrapos2); |
436 apply(erule contrapos2); |
435 apply(simp add:wf_iff_no_infinite_down_chain); |
437 apply(simp add:wf_iff_no_infinite_down_chain); |
436 apply(erule exE); |
438 apply(erule exE); |