Mercurial Mercurial > repos > isabelle / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
src/HOL/CTL/CTL.thy
changeset 11355 778c369559d9
parent 11352 140d55f5836d
child 11758 b87aa292f50b
equal deleted inserted replaced
11354:9b80fe19407f 11355:778c369559d9 
     2 theory CTL = Main:
 
     2 theory CTL = Main:
 
     3 
     3 
     4 section {* CTL formulae *}
 
     4 section {* CTL formulae *}
 
     5 
     5 
     6 text {*
 
     6 text {*
 
     7   \tweakskip By using the common technique of ``shallow embedding'', a
 
     7   \tweakskip We formalize basic concepts of Computational Tree Logic
 
     8   CTL formula is identified with the corresponding set of states where
 
     8   (CTL) \cite{McMillan-PhDThesis,McMillan-LectureNotes} within the
 
     9   it holds.  Consequently, CTL operations such as negation,
 
     9   simply-typed set theory of HOL.
 
    10   conjunction, disjunction simply become complement, intersection,
 
    10 
    11   union of sets.  We only require a separate operation for
 
    11   By using the common technique of ``shallow embedding'', a CTL
 
    12   implication, as point-wise inclusion is usually not encountered in
 
    12   formula is identified with the corresponding set of states where it
 
    13   plain set-theory.
 
    13   holds.  Consequently, CTL operations such as negation, conjunction,
 
       
    14   disjunction simply become complement, intersection, union of sets.
 
       
    15   We only require a separate operation for implication, as point-wise
 
       
    16   inclusion is usually not encountered in plain set-theory.
 
    14 *}
 
    17 *}
 
    15 
    18 
    16 lemmas [intro!] = Int_greatest Un_upper2 Un_upper1 Int_lower1 Int_lower2
 
    19 lemmas [intro!] = Int_greatest Un_upper2 Un_upper1 Int_lower1 Int_lower2
 
    17 
    20 
    18 types 'a ctl = "'a set"
 
    21 types 'a ctl = "'a set"
 
    23 lemma [intro!]: "p \<inter> p \<rightarrow> q \<subseteq> q" by (unfold imp_def) auto
 
    26 lemma [intro!]: "p \<inter> p \<rightarrow> q \<subseteq> q" by (unfold imp_def) auto
 
    24 lemma [intro!]: "p \<subseteq> (q \<rightarrow> p)" by (unfold imp_def) rule
 
    27 lemma [intro!]: "p \<subseteq> (q \<rightarrow> p)" by (unfold imp_def) rule
 
    25 
    28 
    26 
    29 
    27 text {*
 
    30 text {*
 
    28   \smallskip The CTL path operators are more interesting; they are 
    31   \smallskip The CTL path operators are more interesting; they are
 
    29   based on an arbitrary, but fixed model @{text \<M>}, which is simply 
    32   based on an arbitrary, but fixed model @{text \<M>}, which is simply
 
    30   a transition relation over states @{typ "'a"}. 
    33   a transition relation over states @{typ "'a"}.
 
    31 *}
 
    34 *}
 
    32 
    35 
    33 consts model :: "('a \<times> 'a) set"    ("\<M>")
 
    36 consts model :: "('a \<times> 'a) set"    ("\<M>")
 
    34 
    37 
    35 text {*
 
    38 text {*
 
    36   The operators @{text \<EX>}, @{text \<EF>}, @{text \<EG>} are taken as
 
    39   The operators @{text \<EX>}, @{text \<EF>}, @{text \<EG>} are taken
 
    37   primitives, while @{text \<AX>}, @{text \<AF>}, @{text \<AG>} are
 
    40   as primitives, while @{text \<AX>}, @{text \<AF>}, @{text \<AG>} are
 
    38   defined as derived ones.  The formula @{text "\<EX> p"} holds in a
 
    41   defined as derived ones.  The formula @{text "\<EX> p"} holds in a
 
    39   state @{term s}, iff there is a successor state @{term s'} (with
 
    42   state @{term s}, iff there is a successor state @{term s'} (with
 
    40   respect to the model @{term \<M>}), such that @{term p} holds in
 
    43   respect to the model @{term \<M>}), such that @{term p} holds in
 
    41   @{term s'}.  The formula @{text "\<EF> p"} holds in a state @{term
 
    44   @{term s'}.  The formula @{text "\<EF> p"} holds in a state @{term
 
    42   s}, iff there is a path in @{text \<M>}, starting from @{term s},
 
    45   s}, iff there is a path in @{text \<M>}, starting from @{term s},
 
    53   EX :: "'a ctl \<Rightarrow> 'a ctl"    ("\<EX> _" [80] 90)    "\<EX> p \<equiv> {s. \<exists>s'. (s, s') \<in> \<M> \<and> s' \<in> p}"
 
    56   EX :: "'a ctl \<Rightarrow> 'a ctl"    ("\<EX> _" [80] 90)    "\<EX> p \<equiv> {s. \<exists>s'. (s, s') \<in> \<M> \<and> s' \<in> p}"
 
    54   EF :: "'a ctl \<Rightarrow> 'a ctl"    ("\<EF> _" [80] 90)    "\<EF> p \<equiv> lfp (\<lambda>s. p \<union> \<EX> s)"
 
    57   EF :: "'a ctl \<Rightarrow> 'a ctl"    ("\<EF> _" [80] 90)    "\<EF> p \<equiv> lfp (\<lambda>s. p \<union> \<EX> s)"
 
    55   EG :: "'a ctl \<Rightarrow> 'a ctl"    ("\<EG> _" [80] 90)    "\<EG> p \<equiv> gfp (\<lambda>s. p \<inter> \<EX> s)"
 
    58   EG :: "'a ctl \<Rightarrow> 'a ctl"    ("\<EG> _" [80] 90)    "\<EG> p \<equiv> gfp (\<lambda>s. p \<inter> \<EX> s)"
 
    56 
    59 
    57 text {*
 
    60 text {*
 
    58   @{text "\<AX>"}, @{text "\<AF>"} and @{text "\<AG>"} are now defined 
    61   @{text "\<AX>"}, @{text "\<AF>"} and @{text "\<AG>"} are now defined
 
    59   dually in terms of @{text "\<EX>"}, @{text "\<EF>"} and @{text "\<EG>"}.
 
    62   dually in terms of @{text "\<EX>"}, @{text "\<EF>"} and @{text
 
       
    63   "\<EG>"}.
 
    60 *}
 
    64 *}
 
    61 
    65 
    62 constdefs
 
    66 constdefs
 
    63   AX :: "'a ctl \<Rightarrow> 'a ctl"    ("\<AX> _" [80] 90)    "\<AX> p \<equiv> - \<EX> - p"
 
    67   AX :: "'a ctl \<Rightarrow> 'a ctl"    ("\<AX> _" [80] 90)    "\<AX> p \<equiv> - \<EX> - p"
 
    64   AF :: "'a ctl \<Rightarrow> 'a ctl"    ("\<AF> _" [80] 90)    "\<AF> p \<equiv> - \<EG> - p"
 
    68   AF :: "'a ctl \<Rightarrow> 'a ctl"    ("\<AF> _" [80] 90)    "\<AF> p \<equiv> - \<EG> - p"
 
    65   AG :: "'a ctl \<Rightarrow> 'a ctl"    ("\<AG> _" [80] 90)    "\<AG> p \<equiv> - \<EF> - p"
 
    69   AG :: "'a ctl \<Rightarrow> 'a ctl"    ("\<AG> _" [80] 90)    "\<AG> p \<equiv> - \<EF> - p"
 
    66 
    70 
    67 lemmas [simp] = EX_def EG_def AX_def EF_def AF_def AG_def
 
    71 lemmas [simp] = EX_def EG_def AX_def EF_def AF_def AG_def
 
    68 
    72 
    69 
    73 
    70 
       
    71 section {* Basic fixed point properties *}
 
    74 section {* Basic fixed point properties *}
 
    72 
    75 
    73 text {*
 
    76 text {*
 
    74   \tweakskip First of all, we use the de-Morgan property of fixed points
 
    77   \tweakskip First of all, we use the de-Morgan property of fixed
 
       
    78   points
 
    75 *}
 
    79 *}
 
    76 
    80 
    77 lemma lfp_gfp: "lfp f = - gfp (\<lambda>s . - (f (- s)))"
 
    81 lemma lfp_gfp: "lfp f = - gfp (\<lambda>s . - (f (- s)))"
 
    78 proof
 
    82 proof
 
    79   show "lfp f \<subseteq> - gfp (\<lambda>s. - f (- s))"
 
    83   show "lfp f \<subseteq> - gfp (\<lambda>s. - f (- s))"
 
   129 proof -
 
   133 proof -
 
   130   have "mono (\<lambda>s. p \<inter> \<EX> s)" by rule (auto simp add: EX_def)
 
   134   have "mono (\<lambda>s. p \<inter> \<EX> s)" by rule (auto simp add: EX_def)
 
   131   then show ?thesis by (simp only: EG_def) (rule gfp_unfold)
 
   135   then show ?thesis by (simp only: EG_def) (rule gfp_unfold)
 
   132 qed
 
   136 qed
 
   133 
   137 
   134 
       
   135 text {*
 
   138 text {*
 
   136   From the greatest fixed point definition of @{term "\<AG> p"}, we
 
   139   From the greatest fixed point definition of @{term "\<AG> p"}, we
 
   137   derive as a consequence of the Knaster-Tarski theorem on the one
 
   140   derive as a consequence of the Knaster-Tarski theorem on the one
 
   138   hand that @{term "\<AG> p"} is a fixed point of the monotonic
 
   141   hand that @{term "\<AG> p"} is a fixed point of the monotonic
 
   139   function @{term "\<lambda>s. p \<inter> \<AX> s"}.
 
   142   function @{term "\<lambda>s. p \<inter> \<AX> s"}.
 
   140 *}
 
   143 *}
 
   141 
   144 
   142 lemma AG_fp: "\<AG> p = p \<inter> \<AX> \<AG> p"
 
   145 lemma AG_fp: "\<AG> p = p \<inter> \<AX> \<AG> p"
 
   143 proof -
 
   146 proof -
 
   144   have "mono (\<lambda>s. p \<inter> \<AX> s)" sorry (* by rule (auto simp add: AX_def EX_def) *)
 
   147   have "mono (\<lambda>s. p \<inter> \<AX> s)" by rule (auto simp add: AX_def EX_def)
 
   145   then show ?thesis sorry (* by (simp only: AG_gfp) (rule gfp_unfold) *)
 
   148   then show ?thesis by (simp only: AG_gfp) (rule gfp_unfold)
 
   146 qed
 
   149 qed
 
   147 
   150 
   148 text {*
 
   151 text {*
 
   149   This fact may be split up into two inequalities (merely using
 
   152   This fact may be split up into two inequalities (merely using
 
   150   transitivity of @{text "\<subseteq>" }, which is an instance of the overloaded
 
   153   transitivity of @{text "\<subseteq>" }, which is an instance of the overloaded
 
   186   elementary monotonicity and distributivity rules.
 
   189   elementary monotonicity and distributivity rules.
 
   187 *}
 
   190 *}
 
   188 
   191 
   189 lemma AX_int: "\<AX> (p \<inter> q) = \<AX> p \<inter> \<AX> q" by auto 
   192 lemma AX_int: "\<AX> (p \<inter> q) = \<AX> p \<inter> \<AX> q" by auto 
   190 lemma AX_mono: "p \<subseteq> q \<Longrightarrow> \<AX> p \<subseteq> \<AX> q" by auto
 
   193 lemma AX_mono: "p \<subseteq> q \<Longrightarrow> \<AX> p \<subseteq> \<AX> q" by auto
 
   191 lemma AG_mono: "p \<subseteq> q \<Longrightarrow> \<AG> p \<subseteq> \<AG> q" by (simp only: AG_gfp, rule gfp_mono) auto 
   194 lemma AG_mono: "p \<subseteq> q \<Longrightarrow> \<AG> p \<subseteq> \<AG> q"
 
       
   195   by (simp only: AG_gfp, rule gfp_mono) auto 
   192 
   196 
   193 text {*
 
   197 text {*
 
   194   The formula @{term "AG p"} implies @{term "AX p"} (we use
 
   198   The formula @{term "AG p"} implies @{term "AX p"} (we use
 
   195   substitution of @{text "\<subseteq>"} with monotonicity).
 
   199   substitution of @{text "\<subseteq>"} with monotonicity).
 
   196 *}
 
   200 *}
 
   219     ultimately show "\<AG> p \<subseteq> \<AG> p \<inter> \<AX> \<AG> p" ..
 
   223     ultimately show "\<AG> p \<subseteq> \<AG> p \<inter> \<AX> \<AG> p" ..
 
   220   qed
 
   224   qed
 
   221 qed
 
   225 qed
 
   222 
   226 
   223 text {*
 
   227 text {*
 
   224   \smallskip We now give an alternative characterization of the
 
   228   \smallskip We now give an alternative characterization of the @{text
 
   225   @{text "\<AG>"} operator, which describes the @{text "\<AG>"}
 
   229   "\<AG>"} operator, which describes the @{text "\<AG>"} operator in
 
   226   operator in an ``operational'' way by tree induction:
 
   230   an ``operational'' way by tree induction: In a state holds @{term
 
   227   In a state holds @{term "AG p"} iff
 
   231   "AG p"} iff in that state holds @{term p}, and in all reachable
 
   228   in that state holds @{term p}, and in all reachable states @{term s}
 
   232   states @{term s} follows from the fact that @{term p} holds in
 
   229   follows from the fact that @{term p} holds in @{term s}, that @{term
 
   233   @{term s}, that @{term p} also holds in all successor states of
 
   230   p} also holds in all successor states of @{term s}.  We use the
 
   234   @{term s}.  We use the co-induction principle @{thm [source] AG_I}
 
   231   co-induction principle @{thm [source] AG_I} to establish this in a
 
   235   to establish this in a purely algebraic manner.
 
   232   purely algebraic manner.
 
       
   233 *}
 
   236 *}
 
   234 
   237 
   235 theorem AG_induct: "p \<inter> \<AG> (p \<rightarrow> \<AX> p) = \<AG> p"
 
   238 theorem AG_induct: "p \<inter> \<AG> (p \<rightarrow> \<AX> p) = \<AG> p"
 
   236 proof
 
   239 proof
 
   237   show "p \<inter> \<AG> (p \<rightarrow> \<AX> p) \<subseteq> \<AG> p"  (is "?lhs \<subseteq> _")
 
   240   show "p \<inter> \<AG> (p \<rightarrow> \<AX> p) \<subseteq> \<AG> p"  (is "?lhs \<subseteq> _")
isabelle