1 (*<*)theory CTLind = CTL:(*>*) |
1 (*<*)theory CTLind = CTL:(*>*) |
2 |
2 |
3 subsection{*CTL revisited*} |
3 subsection{*CTL Revisited*} |
4 |
4 |
5 text{*\label{sec:CTL-revisited} |
5 text{*\label{sec:CTL-revisited} |
6 The purpose of this section is twofold: we want to demonstrate |
6 The purpose of this section is twofold: we want to demonstrate |
7 some of the induction principles and heuristics discussed above and we want to |
7 some of the induction principles and heuristics discussed above and we want to |
8 show how inductive definitions can simplify proofs. |
8 show how inductive definitions can simplify proofs. |
53 The base case (@{prop"t = s"}) is trivial (@{text blast}). |
53 The base case (@{prop"t = s"}) is trivial (@{text blast}). |
54 In the induction step, we have an infinite @{term A}-avoiding path @{term f} |
54 In the induction step, we have an infinite @{term A}-avoiding path @{term f} |
55 starting from @{term u}, a successor of @{term t}. Now we simply instantiate |
55 starting from @{term u}, a successor of @{term t}. Now we simply instantiate |
56 the @{text"\<forall>f\<in>Paths t"} in the induction hypothesis by the path starting with |
56 the @{text"\<forall>f\<in>Paths t"} in the induction hypothesis by the path starting with |
57 @{term t} and continuing with @{term f}. That is what the above $\lambda$-term |
57 @{term t} and continuing with @{term f}. That is what the above $\lambda$-term |
58 expresses. That fact that this is a path starting with @{term t} and that |
58 expresses. Simplification shows that this is a path starting with @{term t} |
59 the instantiated induction hypothesis implies the conclusion is shown by |
59 and that the instantiated induction hypothesis implies the conclusion. |
60 simplification. |
|
61 |
60 |
62 Now we come to the key lemma. It says that if @{term t} can be reached by a |
61 Now we come to the key lemma. It says that if @{term t} can be reached by a |
63 finite @{term A}-avoiding path from @{term s}, then @{prop"t \<in> lfp(af A)"}, |
62 finite @{term A}-avoiding path from @{term s}, then @{prop"t \<in> lfp(af A)"}, |
64 provided there is no infinite @{term A}-avoiding path starting from @{term |
63 provided there is no infinite @{term A}-avoiding path starting from @{term |
65 s}. |
64 s}. |
66 *} |
65 *} |
67 |
66 |
68 lemma Avoid_in_lfp[rule_format(no_asm)]: |
67 lemma Avoid_in_lfp[rule_format(no_asm)]: |
69 "\<forall>p\<in>Paths s. \<exists>i. p i \<in> A \<Longrightarrow> t \<in> Avoid s A \<longrightarrow> t \<in> lfp(af A)"; |
68 "\<forall>p\<in>Paths s. \<exists>i. p i \<in> A \<Longrightarrow> t \<in> Avoid s A \<longrightarrow> t \<in> lfp(af A)"; |
70 txt{*\noindent |
69 txt{*\noindent |
71 The trick is not to induct on @{prop"t \<in> Avoid s A"}, as already the base |
70 The trick is not to induct on @{prop"t \<in> Avoid s A"}, as even the base |
72 case would be a problem, but to proceed by well-founded induction @{term |
71 case would be a problem, but to proceed by well-founded induction on~@{term |
73 t}. Hence @{prop"t \<in> Avoid s A"} needs to be brought into the conclusion as |
72 t}. Hence\hbox{ @{prop"t \<in> Avoid s A"}} must be brought into the conclusion as |
74 well, which the directive @{text rule_format} undoes at the end (see below). |
73 well, which the directive @{text rule_format} undoes at the end (see below). |
75 But induction with respect to which well-founded relation? The restriction |
74 But induction with respect to which well-founded relation? The |
|
75 one we want is the restriction |
76 of @{term M} to @{term"Avoid s A"}: |
76 of @{term M} to @{term"Avoid s A"}: |
77 @{term[display]"{(y,x). (x,y) \<in> M \<and> x \<in> Avoid s A \<and> y \<in> Avoid s A \<and> x \<notin> A}"} |
77 @{term[display]"{(y,x). (x,y) \<in> M \<and> x \<in> Avoid s A \<and> y \<in> Avoid s A \<and> x \<notin> A}"} |
78 As we shall see in a moment, the absence of infinite @{term A}-avoiding paths |
78 As we shall see in a moment, the absence of infinite @{term A}-avoiding paths |
79 starting from @{term s} implies well-foundedness of this relation. For the |
79 starting from @{term s} implies well-foundedness of this relation. For the |
80 moment we assume this and proceed with the induction: |
80 moment we assume this and proceed with the induction: |
84 "wf{(y,x). (x,y)\<in>M \<and> x \<in> Avoid s A \<and> y \<in> Avoid s A \<and> x \<notin> A}"); |
84 "wf{(y,x). (x,y)\<in>M \<and> x \<in> Avoid s A \<and> y \<in> Avoid s A \<and> x \<notin> A}"); |
85 apply(erule_tac a = t in wf_induct); |
85 apply(erule_tac a = t in wf_induct); |
86 apply(clarsimp); |
86 apply(clarsimp); |
87 |
87 |
88 txt{*\noindent |
88 txt{*\noindent |
89 Now can assume additionally (induction hypothesis) that if @{prop"t \<notin> A"} |
89 @{subgoals[display,indent=0,margin=65]} |
|
90 \REMARK{I put in this proof state but I wonder if readers will be able to |
|
91 follow this proof. You could prove that your relation is WF in a |
|
92 lemma beforehand, maybe omitting that proof.} |
|
93 Now the induction hypothesis states that if @{prop"t \<notin> A"} |
90 then all successors of @{term t} that are in @{term"Avoid s A"} are in |
94 then all successors of @{term t} that are in @{term"Avoid s A"} are in |
91 @{term"lfp (af A)"}. To prove the actual goal we unfold @{term lfp} once. Now |
95 @{term"lfp (af A)"}. To prove the actual goal we unfold @{term lfp} once. Now |
92 we have to prove that @{term t} is in @{term A} or all successors of @{term |
96 we have to prove that @{term t} is in @{term A} or all successors of @{term |
93 t} are in @{term"lfp (af A)"}. If @{term t} is not in @{term A}, the second |
97 t} are in @{term"lfp (af A)"}. If @{term t} is not in @{term A}, the second |
94 @{term Avoid}-rule implies that all successors of @{term t} are in |
98 @{term Avoid}-rule implies that all successors of @{term t} are in |
101 apply(simp only: af_def); |
105 apply(simp only: af_def); |
102 apply(blast intro:Avoid.intros); |
106 apply(blast intro:Avoid.intros); |
103 |
107 |
104 txt{* |
108 txt{* |
105 Having proved the main goal we return to the proof obligation that the above |
109 Having proved the main goal we return to the proof obligation that the above |
106 relation is indeed well-founded. This is proved by contraposition: we assume |
110 relation is indeed well-founded. This is proved by contradiction: if |
107 the relation is not well-founded. Thus there exists an infinite @{term |
111 the relation is not well-founded then there exists an infinite @{term |
108 A}-avoiding path all in @{term"Avoid s A"}, by theorem |
112 A}-avoiding path all in @{term"Avoid s A"}, by theorem |
109 @{thm[source]wf_iff_no_infinite_down_chain}: |
113 @{thm[source]wf_iff_no_infinite_down_chain}: |
110 @{thm[display]wf_iff_no_infinite_down_chain[no_vars]} |
114 @{thm[display]wf_iff_no_infinite_down_chain[no_vars]} |
111 From lemma @{thm[source]ex_infinite_path} the existence of an infinite |
115 From lemma @{thm[source]ex_infinite_path} the existence of an infinite |
112 @{term A}-avoiding path starting in @{term s} follows, just as required for |
116 @{term A}-avoiding path starting in @{term s} follows, contradiction. |
113 the contraposition. |
|
114 *} |
117 *} |
115 |
118 |
116 apply(erule contrapos_pp); |
119 apply(erule contrapos_pp); |
117 apply(simp add:wf_iff_no_infinite_down_chain); |
120 apply(simp add:wf_iff_no_infinite_down_chain); |
118 apply(erule exE); |
121 apply(erule exE); |