15 | AX formula |
15 | AX formula |
16 | EF formula(*>*) |
16 | EF formula(*>*) |
17 | AF formula; |
17 | AF formula; |
18 |
18 |
19 text{*\noindent |
19 text{*\noindent |
20 which stands for "always in the future": |
20 which stands for ``\emph{A}lways in the \emph{F}uture'': |
21 on all paths, at some point the formula holds. Formalizing the notion of an infinite path is easy |
21 on all infinite paths, at some point the formula holds. |
|
22 Formalizing the notion of an infinite path is easy |
22 in HOL: it is simply a function from @{typ nat} to @{typ state}. |
23 in HOL: it is simply a function from @{typ nat} to @{typ state}. |
23 *}; |
24 *}; |
24 |
25 |
25 constdefs Paths :: "state \<Rightarrow> (nat \<Rightarrow> state)set" |
26 constdefs Paths :: "state \<Rightarrow> (nat \<Rightarrow> state)set" |
26 "Paths s \<equiv> {p. s = p 0 \<and> (\<forall>i. (p i, p(i+1)) \<in> M)}"; |
27 "Paths s \<equiv> {p. s = p 0 \<and> (\<forall>i. (p i, p(i+1)) \<in> M)}"; |
65 "mc(EF f) = lfp(\<lambda>T. mc f \<union> M\<inverse> `` T)"(*>*) |
66 "mc(EF f) = lfp(\<lambda>T. mc f \<union> M\<inverse> `` T)"(*>*) |
66 "mc(AF f) = lfp(af(mc f))"; |
67 "mc(AF f) = lfp(af(mc f))"; |
67 |
68 |
68 text{*\noindent |
69 text{*\noindent |
69 Because @{term af} is monotone in its second argument (and also its first, but |
70 Because @{term af} is monotone in its second argument (and also its first, but |
70 that is irrelevant) @{term"af A"} has a least fixed point: |
71 that is irrelevant), @{term"af A"} has a least fixed point: |
71 *}; |
72 *}; |
72 |
73 |
73 lemma mono_af: "mono(af A)"; |
74 lemma mono_af: "mono(af A)"; |
74 apply(simp add: mono_def af_def); |
75 apply(simp add: mono_def af_def); |
75 apply blast; |
76 apply blast; |
148 The opposite inclusion is proved by contradiction: if some state |
149 The opposite inclusion is proved by contradiction: if some state |
149 @{term s} is not in @{term"lfp(af A)"}, then we can construct an |
150 @{term s} is not in @{term"lfp(af A)"}, then we can construct an |
150 infinite @{term A}-avoiding path starting from @{term s}. The reason is |
151 infinite @{term A}-avoiding path starting from @{term s}. The reason is |
151 that by unfolding @{term lfp} we find that if @{term s} is not in |
152 that by unfolding @{term lfp} we find that if @{term s} is not in |
152 @{term"lfp(af A)"}, then @{term s} is not in @{term A} and there is a |
153 @{term"lfp(af A)"}, then @{term s} is not in @{term A} and there is a |
153 direct successor of @{term s} that is again not in @{term"lfp(af |
154 direct successor of @{term s} that is again not in \mbox{@{term"lfp(af |
154 A)"}. Iterating this argument yields the promised infinite |
155 A)"}}. Iterating this argument yields the promised infinite |
155 @{term A}-avoiding path. Let us formalize this sketch. |
156 @{term A}-avoiding path. Let us formalize this sketch. |
156 |
157 |
157 The one-step argument in the sketch above |
158 The one-step argument in the sketch above |
158 is proved by a variant of contraposition: |
159 is proved by a variant of contraposition: |
159 *}; |
160 *}; |
160 |
161 |
161 lemma not_in_lfp_afD: |
162 lemma not_in_lfp_afD: |
162 "s \<notin> lfp(af A) \<Longrightarrow> s \<notin> A \<and> (\<exists> t. (s,t)\<in>M \<and> t \<notin> lfp(af A))"; |
163 "s \<notin> lfp(af A) \<Longrightarrow> s \<notin> A \<and> (\<exists> t. (s,t) \<in> M \<and> t \<notin> lfp(af A))"; |
163 apply(erule contrapos_np); |
164 apply(erule contrapos_np); |
164 apply(rule ssubst[OF lfp_unfold[OF mono_af]]); |
165 apply(rule ssubst[OF lfp_unfold[OF mono_af]]); |
165 apply(simp add:af_def); |
166 apply(simp add:af_def); |
166 done; |
167 done; |
167 |
168 |
194 lemma infinity_lemma: |
195 lemma infinity_lemma: |
195 "\<lbrakk> Q s; \<forall>s. Q s \<longrightarrow> (\<exists> t. (s,t) \<in> M \<and> Q t) \<rbrakk> \<Longrightarrow> |
196 "\<lbrakk> Q s; \<forall>s. Q s \<longrightarrow> (\<exists> t. (s,t) \<in> M \<and> Q t) \<rbrakk> \<Longrightarrow> |
196 \<exists>p\<in>Paths s. \<forall>i. Q(p i)"; |
197 \<exists>p\<in>Paths s. \<forall>i. Q(p i)"; |
197 |
198 |
198 txt{*\noindent |
199 txt{*\noindent |
199 First we rephrase the conclusion slightly because we need to prove both the path property |
200 First we rephrase the conclusion slightly because we need to prove simultaneously |
200 and the fact that @{term Q} holds simultaneously: |
201 both the path property and the fact that @{term Q} holds: |
201 *}; |
202 *}; |
202 |
203 |
203 apply(subgoal_tac "\<exists>p. s = p 0 \<and> (\<forall>i. (p i,p(i+1)) \<in> M \<and> Q(p i))"); |
204 apply(subgoal_tac "\<exists>p. s = p 0 \<and> (\<forall>i. (p i,p(i+1)) \<in> M \<and> Q(p i))"); |
204 |
205 |
205 txt{*\noindent |
206 txt{*\noindent |
214 |
215 |
215 apply(rule_tac x = "path s Q" in exI); |
216 apply(rule_tac x = "path s Q" in exI); |
216 apply(clarsimp); |
217 apply(clarsimp); |
217 |
218 |
218 txt{*\noindent |
219 txt{*\noindent |
219 After simplification and clarification the subgoal has the following compact form |
220 After simplification and clarification, the subgoal has the following form |
220 @{subgoals[display,indent=0,margin=70,goals_limit=1]} |
221 @{subgoals[display,indent=0,margin=70,goals_limit=1]} |
221 and invites a proof by induction on @{term i}: |
222 and invites a proof by induction on @{term i}: |
222 *}; |
223 *}; |
223 |
224 |
224 apply(induct_tac i); |
225 apply(induct_tac i); |
225 apply(simp); |
226 apply(simp); |
226 |
227 |
227 txt{*\noindent |
228 txt{*\noindent |
228 After simplification the base case boils down to |
229 After simplification, the base case boils down to |
229 @{subgoals[display,indent=0,margin=70,goals_limit=1]} |
230 @{subgoals[display,indent=0,margin=70,goals_limit=1]} |
230 The conclusion looks exceedingly trivial: after all, @{term t} is chosen such that @{prop"(s,t):M"} |
231 The conclusion looks exceedingly trivial: after all, @{term t} is chosen such that @{prop"(s,t):M"} |
231 holds. However, we first have to show that such a @{term t} actually exists! This reasoning |
232 holds. However, we first have to show that such a @{term t} actually exists! This reasoning |
232 is embodied in the theorem @{thm[source]someI2_ex}: |
233 is embodied in the theorem @{thm[source]someI2_ex}: |
233 @{thm[display,eta_contract=false]someI2_ex} |
234 @{thm[display,eta_contract=false]someI2_ex} |
343 done |
344 done |
344 |
345 |
345 text{* |
346 text{* |
346 |
347 |
347 The language defined above is not quite CTL\@. The latter also includes an |
348 The language defined above is not quite CTL\@. The latter also includes an |
348 until-operator @{term"EU f g"} with semantics ``there exists a path |
349 until-operator @{term"EU f g"} with semantics ``there \emph{E}xists a path |
349 where @{term f} is true until @{term g} becomes true''. With the help |
350 where @{term f} is true \emph{U}ntil @{term g} becomes true''. With the help |
350 of an auxiliary function |
351 of an auxiliary function |
351 *} |
352 *} |
352 |
353 |
353 consts until:: "state set \<Rightarrow> state set \<Rightarrow> state \<Rightarrow> state list \<Rightarrow> bool" |
354 consts until:: "state set \<Rightarrow> state set \<Rightarrow> state \<Rightarrow> state list \<Rightarrow> bool" |
354 primrec |
355 primrec |
358 eusem :: "state set \<Rightarrow> state set \<Rightarrow> state set" |
359 eusem :: "state set \<Rightarrow> state set \<Rightarrow> state set" |
359 "eusem A B \<equiv> {s. \<exists>p. until A B s p}"(*>*) |
360 "eusem A B \<equiv> {s. \<exists>p. until A B s p}"(*>*) |
360 |
361 |
361 text{*\noindent |
362 text{*\noindent |
362 the semantics of @{term EU} is straightforward: |
363 the semantics of @{term EU} is straightforward: |
363 @{text[display]"s \<Turnstile> EU f g = (\<exists>p. until A B s p)"} |
364 @{prop[display]"s \<Turnstile> EU f g = (\<exists>p. until {t. t \<Turnstile> f} {t. t \<Turnstile> g} s p)"} |
364 Note that @{term EU} is not definable in terms of the other operators! |
365 Note that @{term EU} is not definable in terms of the other operators! |
365 |
366 |
366 Model checking @{term EU} is again a least fixed point construction: |
367 Model checking @{term EU} is again a least fixed point construction: |
367 @{text[display]"mc(EU f g) = lfp(\<lambda>T. mc g \<union> mc f \<inter> (M\<inverse> `` T))"} |
368 @{text[display]"mc(EU f g) = lfp(\<lambda>T. mc g \<union> mc f \<inter> (M\<inverse> `` T))"} |
368 |
369 |
455 text{* |
456 text{* |
456 Let us close this section with a few words about the executability of our model checkers. |
457 Let us close this section with a few words about the executability of our model checkers. |
457 It is clear that if all sets are finite, they can be represented as lists and the usual |
458 It is clear that if all sets are finite, they can be represented as lists and the usual |
458 set operations are easily implemented. Only @{term lfp} requires a little thought. |
459 set operations are easily implemented. Only @{term lfp} requires a little thought. |
459 Fortunately, the HOL Library% |
460 Fortunately, the HOL Library% |
460 \footnote{See theory \isa{While_Combinator_Example}.} |
461 \footnote{See theory \isa{While_Combinator}.} |
461 provides a theorem stating that |
462 provides a theorem stating that |
462 in the case of finite sets and a monotone function~@{term F}, |
463 in the case of finite sets and a monotone function~@{term F}, |
463 the value of @{term"lfp F"} can be computed by iterated application of @{term F} to~@{term"{}"} until |
464 the value of \mbox{@{term"lfp F"}} can be computed by iterated application of @{term F} to~@{term"{}"} until |
464 a fixed point is reached. It is actually possible to generate executable functional programs |
465 a fixed point is reached. It is actually possible to generate executable functional programs |
465 from HOL definitions, but that is beyond the scope of the tutorial. |
466 from HOL definitions, but that is beyond the scope of the tutorial. |
466 *} |
467 *} |
467 (*<*)end(*>*) |
468 (*<*)end(*>*) |