Mercurial Mercurial > repos > isabelle / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
doc-src/TutorialI/CTL/document/CTL.tex
changeset 10281 9554ce1c2e54
parent 10242 028f54cd2cc9
child 10363 6e8002c1790e
equal deleted inserted replaced
10280:2626d4e37341 10281:9554ce1c2e54 
    64 \isa{lfp{\isacharunderscore}lowerbound}:
 
    64 \isa{lfp{\isacharunderscore}lowerbound}:
 
    65 \begin{isabelle}%
 
    65 \begin{isabelle}%
 
    66 \ \ \ \ \ f\ S\ {\isasymsubseteq}\ S\ {\isasymLongrightarrow}\ lfp\ f\ {\isasymsubseteq}\ S%
 
    66 \ \ \ \ \ f\ S\ {\isasymsubseteq}\ S\ {\isasymLongrightarrow}\ lfp\ f\ {\isasymsubseteq}\ S%
 
    67 \end{isabelle}
 
    67 \end{isabelle}
 
    68 The instance of the premise \isa{f\ S\ {\isasymsubseteq}\ S} is proved pointwise,
 
    68 The instance of the premise \isa{f\ S\ {\isasymsubseteq}\ S} is proved pointwise,
 
    69 starting with simplification and clarification:%
 
    69 a decision that clarification takes for us:%
 
    70 \end{isamarkuptxt}%
 
    70 \end{isamarkuptxt}%
 
    71 \isacommand{apply}{\isacharparenleft}rule\ lfp{\isacharunderscore}lowerbound{\isacharparenright}\isanewline
 
    71 \isacommand{apply}{\isacharparenleft}rule\ lfp{\isacharunderscore}lowerbound{\isacharparenright}\isanewline
 
    72 \isacommand{apply}{\isacharparenleft}rule\ subsetI{\isacharparenright}\isanewline
 
       
    73 \isacommand{apply}{\isacharparenleft}clarsimp\ simp\ add{\isacharcolon}\ af{\isacharunderscore}def\ Paths{\isacharunderscore}def{\isacharparenright}%
 
    72 \isacommand{apply}{\isacharparenleft}clarsimp\ simp\ add{\isacharcolon}\ af{\isacharunderscore}def\ Paths{\isacharunderscore}def{\isacharparenright}%
 
    74 \begin{isamarkuptxt}%
 
    73 \begin{isamarkuptxt}%
 
    75 \begin{isabelle}
 
    74 \begin{isabelle}
 
    76 \ {\isadigit{1}}{\isachardot}\ {\isasymAnd}p{\isachardot}\ {\isasymlbrakk}p\ {\isadigit{0}}\ {\isasymin}\ A\ {\isasymor}\isanewline
 
    75 \ {\isadigit{1}}{\isachardot}\ {\isasymAnd}p{\isachardot}\ {\isasymlbrakk}p\ {\isadigit{0}}\ {\isasymin}\ A\ {\isasymor}\isanewline
 
    77 \ \ \ \ \ \ \ \ \ {\isacharparenleft}{\isasymforall}t{\isachardot}\ {\isacharparenleft}p\ {\isadigit{0}}{\isacharcomma}\ t{\isacharparenright}\ {\isasymin}\ M\ {\isasymlongrightarrow}\isanewline
 
    76 \ \ \ \ \ \ \ \ \ {\isacharparenleft}{\isasymforall}t{\isachardot}\ {\isacharparenleft}p\ {\isadigit{0}}{\isacharcomma}\ t{\isacharparenright}\ {\isasymin}\ M\ {\isasymlongrightarrow}\isanewline
 
   280 \isacommand{apply}{\isacharparenleft}induct{\isacharunderscore}tac\ f{\isacharparenright}\isanewline
 
   279 \isacommand{apply}{\isacharparenleft}induct{\isacharunderscore}tac\ f{\isacharparenright}\isanewline
 
   281 \isacommand{apply}{\isacharparenleft}auto\ simp\ add{\isacharcolon}\ EF{\isacharunderscore}lemma\ equalityI{\isacharbrackleft}OF\ AF{\isacharunderscore}lemma{\isadigit{1}}\ AF{\isacharunderscore}lemma{\isadigit{2}}{\isacharbrackright}{\isacharparenright}\isanewline
 
   280 \isacommand{apply}{\isacharparenleft}auto\ simp\ add{\isacharcolon}\ EF{\isacharunderscore}lemma\ equalityI{\isacharbrackleft}OF\ AF{\isacharunderscore}lemma{\isadigit{1}}\ AF{\isacharunderscore}lemma{\isadigit{2}}{\isacharbrackright}{\isacharparenright}\isanewline
 
   282 \isacommand{done}%
 
   281 \isacommand{done}%
 
   283 \begin{isamarkuptext}%
 
   282 \begin{isamarkuptext}%
 
   284 The above language is not quite CTL. The latter also includes an
 
   283 The above language is not quite CTL. The latter also includes an
 
   285 until-operator, which is the subject of the following exercise.
 
   284 until-operator \isa{EU\ f\ g} with semantics ``there exist a path
 
   286 It is not definable in terms of the other operators!
 
   285 where \isa{f} is true until \isa{g} becomes true''. With the help
 
       
   286 of an auxiliary function%
 
       
   287 \end{isamarkuptext}%
 
       
   288 \isacommand{consts}\ until{\isacharcolon}{\isacharcolon}\ {\isachardoublequote}state\ set\ {\isasymRightarrow}\ state\ set\ {\isasymRightarrow}\ state\ {\isasymRightarrow}\ state\ list\ {\isasymRightarrow}\ bool{\isachardoublequote}\isanewline
 
       
   289 \isacommand{primrec}\isanewline
 
       
   290 {\isachardoublequote}until\ A\ B\ s\ {\isacharbrackleft}{\isacharbrackright}\ \ \ \ {\isacharequal}\ {\isacharparenleft}s\ {\isasymin}\ B{\isacharparenright}{\isachardoublequote}\isanewline
 
       
   291 {\isachardoublequote}until\ A\ B\ s\ {\isacharparenleft}t{\isacharhash}p{\isacharparenright}\ {\isacharequal}\ {\isacharparenleft}s\ {\isasymin}\ A\ {\isasymand}\ {\isacharparenleft}s{\isacharcomma}t{\isacharparenright}\ {\isasymin}\ M\ {\isasymand}\ until\ A\ B\ t\ p{\isacharparenright}{\isachardoublequote}%
 
       
   292 \begin{isamarkuptext}%
 
       
   293 \noindent
 
       
   294 the semantics of \isa{EU} is straightforward:
 
       
   295 \begin{isabelle}%
 
       
   296 \ \ \ \ \ s\ {\isasymTurnstile}\ EU\ f\ g\ {\isacharequal}\ {\isacharparenleft}{\isasymexists}p{\isachardot}\ until\ A\ B\ s\ p{\isacharparenright}%
 
       
   297 \end{isabelle}
 
       
   298 Note that \isa{EU} is not definable in terms of the other operators!
 
       
   299 
       
   300 Model checking \isa{EU} is again a least fixed point construction:
 
       
   301 \begin{isabelle}%
 
       
   302 \ \ \ \ \ mc{\isacharparenleft}EU\ f\ g{\isacharparenright}\ {\isacharequal}\ lfp{\isacharparenleft}{\isasymlambda}T{\isachardot}\ mc\ g\ {\isasymunion}\ mc\ f\ {\isasyminter}\ {\isacharparenleft}M{\isacharcircum}{\isacharminus}{\isadigit{1}}\ {\isacharcircum}{\isacharcircum}\ T{\isacharparenright}{\isacharparenright}%
 
       
   303 \end{isabelle}
 
       
   304 
   287 \begin{exercise}
 
   305 \begin{exercise}
 
   288 Extend the datatype of formulae by the binary until operator \isa{EU\ f\ g} with semantics
 
   306 Extend the datatype of formulae by the above until operator
 
   289 ``there exist a path where \isa{f} is true until \isa{g} becomes true''
 
   307 and prove the equivalence between semantics and model checking, i.e.\ that
 
   290 \begin{isabelle}%
 
       
   291 \ \ \ \ \ s\ {\isasymTurnstile}\ EU\ f\ g\ {\isacharequal}\ {\isacharparenleft}{\isasymexists}p{\isasymin}Paths\ s{\isachardot}\ {\isasymexists}j{\isachardot}\ p\ j\ {\isasymTurnstile}\ g\ {\isasymand}\ {\isacharparenleft}{\isasymexists}i\ {\isacharless}\ j{\isachardot}\ p\ i\ {\isasymTurnstile}\ f{\isacharparenright}{\isacharparenright}%
 
       
   292 \end{isabelle}
 
       
   293 and model checking algorithm
 
       
   294 \begin{isabelle}%
 
       
   295 \ \ \ \ \ mc{\isacharparenleft}EU\ f\ g{\isacharparenright}\ {\isacharequal}\ lfp{\isacharparenleft}{\isasymlambda}T{\isachardot}\ mc\ g\ {\isasymunion}\ mc\ f\ {\isasyminter}\ {\isacharparenleft}M{\isacharcircum}{\isacharminus}{\isadigit{1}}\ {\isacharcircum}{\isacharcircum}\ T{\isacharparenright}{\isacharparenright}%
 
       
   296 \end{isabelle}
 
       
   297 Prove the equivalence between semantics and model checking, i.e.\ that
 
       
   298 \begin{isabelle}%
 
   308 \begin{isabelle}%
 
   299 \ \ \ \ \ mc\ {\isacharparenleft}EU\ f\ g{\isacharparenright}\ {\isacharequal}\ {\isacharbraceleft}s{\isachardot}\ s\ {\isasymTurnstile}\ EU\ f\ g{\isacharbraceright}%
 
   309 \ \ \ \ \ mc\ {\isacharparenleft}EU\ f\ g{\isacharparenright}\ {\isacharequal}\ {\isacharbraceleft}s{\isachardot}\ s\ {\isasymTurnstile}\ EU\ f\ g{\isacharbraceright}%
 
   300 \end{isabelle}
 
   310 \end{isabelle}
 
   301 %For readability you may want to annotate {term EU} with its customary syntax
 
   311 %For readability you may want to annotate {term EU} with its customary syntax
 
   302 %{text[display]"| EU formula formula    E[_ U _]"}
 
   312 %{text[display]"| EU formula formula    E[_ U _]"}
 
   303 %which enables you to read and write {text"E[f U g]"} instead of {term"EU f g"}.
 
   313 %which enables you to read and write {text"E[f U g]"} instead of {term"EU f g"}.
 
   304 \end{exercise}
 
   314 \end{exercise}
 
   305 For more CTL exercises see, for example \cite{Huth-Ryan-book}.
 
   315 For more CTL exercises see, for example, \cite{Huth-Ryan-book}.%
 
   306 \bigskip
 
   316 \end{isamarkuptext}%
 
   307 
   317 %
 
       
   318 \begin{isamarkuptext}%
 
   308 Let us close this section with a few words about the executability of our model checkers.
 
   319 Let us close this section with a few words about the executability of our model checkers.
 
   309 It is clear that if all sets are finite, they can be represented as lists and the usual
 
   320 It is clear that if all sets are finite, they can be represented as lists and the usual
 
   310 set operations are easily implemented. Only \isa{lfp} requires a little thought.
 
   321 set operations are easily implemented. Only \isa{lfp} requires a little thought.
 
   311 Fortunately the HOL library proves that in the case of finite sets and a monotone \isa{F},
 
   322 Fortunately the HOL library proves that in the case of finite sets and a monotone \isa{F},
 
   312 \isa{lfp\ F} can be computed by iterated application of \isa{F} to \isa{{\isacharbraceleft}{\isacharbraceright}} until
 
   323 \isa{lfp\ F} can be computed by iterated application of \isa{F} to \isa{{\isacharbraceleft}{\isacharbraceright}} until
isabelle