115 apply(erule Lfp.induct[OF _ mono_af]); |
115 apply(erule Lfp.induct[OF _ mono_af]); |
116 apply(clarsimp simp add: af_def Paths_def); |
116 apply(clarsimp simp add: af_def Paths_def); |
117 (*ML"Pretty.setmargin 70"; |
117 (*ML"Pretty.setmargin 70"; |
118 pr(latex xsymbols symbols);*) |
118 pr(latex xsymbols symbols);*) |
119 txt{*\noindent |
119 txt{*\noindent |
120 FIXME OF/of with undescore? |
|
121 |
|
122 leads to the following somewhat involved proof state |
120 leads to the following somewhat involved proof state |
123 \begin{isabelle} |
121 \begin{isabelle} |
124 \ \isadigit{1}{\isachardot}\ {\isasymAnd}p{\isachardot}\ {\isasymlbrakk}p\ \isadigit{0}\ {\isasymin}\ A\ {\isasymor}\isanewline |
122 \ \isadigit{1}{\isachardot}\ {\isasymAnd}p{\isachardot}\ {\isasymlbrakk}p\ \isadigit{0}\ {\isasymin}\ A\ {\isasymor}\isanewline |
125 \ \ \ \ \ \ \ \ \ {\isacharparenleft}{\isasymforall}t{\isachardot}\ {\isacharparenleft}p\ \isadigit{0}{\isacharcomma}\ t{\isacharparenright}\ {\isasymin}\ M\ {\isasymlongrightarrow}\isanewline |
123 \ \ \ \ \ \ \ \ \ {\isacharparenleft}{\isasymforall}t{\isachardot}\ {\isacharparenleft}p\ \isadigit{0}{\isacharcomma}\ t{\isacharparenright}\ {\isasymin}\ M\ {\isasymlongrightarrow}\isanewline |
126 \ \ \ \ \ \ \ \ \ \ \ \ \ \ t\ {\isasymin}\ lfp\ {\isacharparenleft}af\ A{\isacharparenright}\ {\isasymand}\isanewline |
124 \ \ \ \ \ \ \ \ \ \ \ \ \ \ t\ {\isasymin}\ lfp\ {\isacharparenleft}af\ A{\isacharparenright}\ {\isasymand}\isanewline |
372 apply(auto simp add: EF_lemma equalityI[OF AF_lemma1 AF_lemma2]); |
370 apply(auto simp add: EF_lemma equalityI[OF AF_lemma1 AF_lemma2]); |
373 done |
371 done |
374 |
372 |
375 text{* |
373 text{* |
376 The above language is not quite CTL. The latter also includes an |
374 The above language is not quite CTL. The latter also includes an |
377 until-operator, usually written as an infix @{text U}. The formula |
375 until-operator, which is the subject of the following exercise. |
378 @{term"f U g"} means ``@{term f} until @{term g}''. |
|
379 It is not definable in terms of the other operators! |
376 It is not definable in terms of the other operators! |
380 \begin{exercise} |
377 \begin{exercise} |
381 Extend the datatype of formulae by the until operator with semantics |
378 Extend the datatype of formulae by the binary until operator @{term"EU f g"} with semantics |
382 @{text[display]"s \<Turnstile> f U g = (............)"} |
379 ``there exist a path where @{term f} is true until @{term g} becomes true'' |
|
380 @{text[display]"s \<Turnstile> EU f g = (\<exists>p\<in>Paths s. \<exists>j. p j \<Turnstile> g \<and> (\<exists>i < j. p i \<Turnstile> f))"} |
383 and model checking algorithm |
381 and model checking algorithm |
384 @{text[display]"mc(f U g) = (............)"} |
382 @{text[display]"mc(EU f g) = lfp(\<lambda>T. mc g \<union> mc f \<inter> (M^-1 ^^ T))"} |
385 Prove that the equivalence between semantics and model checking still holds. |
383 Prove the equivalence between semantics and model checking, i.e.\ |
|
384 @{prop"mc(EU f g) = {s. s \<Turnstile> EU f g}"}. |
|
385 |
|
386 For readability you may want to equip @{term EU} with the following customary syntax: |
|
387 @{text"E[f U g]"}. |
386 \end{exercise} |
388 \end{exercise} |
387 |
389 |
388 Let us close this section with a few words about the executability of @{term mc}. |
390 Let us close this section with a few words about the executability of @{term mc}. |
389 It is clear that if all sets are finite, they can be represented as lists and the usual |
391 It is clear that if all sets are finite, they can be represented as lists and the usual |
390 set operations are easily implemented. Only @{term lfp} requires a little thought. |
392 set operations are easily implemented. Only @{term lfp} requires a little thought. |